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Abstract 

We  present  an  iterative  algorithm  for  enforcing  policies  represented  in  a  first-order  logic, 
which  can,  in  particular,  express  all  transmission-related  clauses  in  the  HIPAA  Privacy  Rule. 
The  logic  has  three  features  that  raise  challenges  for  enforcement  —  uninterpreted  predicates 
(used  to  model  subjective  concepts  in  privacy  policies),  real-time  temporal  properties,  and  quan¬ 
tification  over  infinite  domains  (such  as  the  set  of  messages  containing  personal  information). 
The  algorithm  operates  over  audit  logs  that  are  inherently  incomplete  and  evolve  over  time. 
In  each  iteration,  the  algorithm  provably  checks  as  much  of  the  policy  as  possible  over  the 
current  log  and  outputs  a  residual  policy  that  can  only  be  checked  when  the  log  is  extended 
with  additional  information.  We  prove  correctness  and  termination  properties  of  the  algorithm. 
While  these  results  are  developed  in  a  general  form,  accounting  for  many  different  sources  of 
incompleteness  in  audit  logs,  we  also  prove  that  for  the  special  case  of  logs  that  maintain  a 
complete  record  of  all  relevant  actions,  the  algorithm  effectively  enforces  all  safety  and  co-safety 
properties.  The  algorithm  can  significantly  help  automate  enforcement  of  policies  derived  from 
the  HIPAA  Privacy  Rule. 


1  Introduction 

Organizations,  such  as  hospitals,  banks,  and  universities,  that  collect,  use,  and  share  personal  in¬ 
formation  have  to  ensure  that  they  do  so  in  a  manner  that  respects  the  privacy  of  the  information 
subjects.  In  fact,  designing  effective  processes  to  audit  transmission  and  access  logs  to  ensure 
compliance  with  privacy  regulations,  such  as  the  Health  Insurance  Portability  and  Accountability 
Act  (HIPAA)  [32],  has  become  one  of  the  greatest  challenges  facing  organizations  today  (see,  for 
example,  a  recent  survey  from  Deloitte  and  the  Ponemon  Institute  [15]).  State-of-the-art  commer¬ 
cial  tools  such  as  the  FairWarning  [1]  allow  auditors  to  mine  access  and  transmission  logs  and  flag 
potential  violations  of  policy,  but  do  not  help  decide  which  flagged  items  are  actual  violations,  even 
though  privacy  legislation  often  lays  down  objective  criteria  to  make  such  decisions.  We  address 

*This  work  was  partially  supported  by  the  U.S.  Army  Research  Office  contract  ’’Perpetually  Available  and  Secure 
Information  Systems”  (DAAD19-02-1-0389)  to  Carnegie  Mellon  CyLab,  the  NSF  Science  and  Technology  Center 
TRUST,  the  NSF  Cyber  Trust  grant  Privacy,  Compliance  and  Information  Risk  in  Complex  Organizational  Processes, 
the  AFOSR  MURI  Collaborative  Policies  and  Assured  Information  Sharing,  and  HHS  Grant  no.  HHS  90TR0003/01. 
The  views  and  conclusions  contained  in  this  document  are  those  of  the  authors  and  should  not  be  interpreted  as 
representing  the  official  policies,  either  expressed  or  implied,  of  any  sponsoring  institution,  the  U.S.  government  or 
any  other  entity. 
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this  challenge  by  developing  a  novel,  logic-based  method  for  computer-assisted  enforcement  of  poli¬ 
cies.  This  method  can  be  used  to  enforce  a  rich  class  of  privacy  and  security  policies  that  include, 
in  particular,  real  privacy  regulations  like  HIPAA. 

Policy  Specification  The  first  challenge  for  policy  enforcement  is  formal  specification  of  real 
policies.  This  challenge  was  addressed  in  our  prior  work  on  PrivacyLFP  [16],  an  expressive  first- 
order  temporal  logic,  in  which  we  represented  formally  all  transmission-related  clauses  of  the  HIPAA 
and  GLBA  Privacy  Laws.  PrivacyLFP  is  more  expressive  than  prior  logics  considered  for  expressing 
policies,  including  propositional  temporal  logics  [8,  18]  and  first-order  metric  temporal  logic  [10]. 

Building  on  the  prior  work  on  specification  of  privacy  laws  in  PrivacyLFP,  this  paper  presents 
an  algorithm  for  enforcing  policies  represented  in  the  logic,  through  iterative  analysis  of  audit  logs, 
which  we  assume  are  collected  independently  and  provided  to  us.  The  policy  enforcement  algorithm 
and  the  formulation  and  proof  of  its  properties  are  the  main  contribution  of  this  paper. 

Three  concepts  in  privacy  legislation  (and  PrivacyLFP)  make  mechanical  enforcement  partic¬ 
ularly  difficult;  we  discuss  these  concepts  briefly.  First,  PrivacyLFP  includes  uninterpreted  or 
subjective  predicates  to  model  subjective  parts  of  privacy  laws.  For  example,  HIPAA  allows  trans¬ 
mission  of  protected  health  information  about  an  individual  from  a  hospital  to  a  law  enforcement 
agency  if  the  hospital  believes  that  the  death  of  the  individual  was  suspicious.  Such  beliefs  are 
represented  using  uninterpreted  predicates  because  the  truth  value  of  these  predicates  cannot,  in 
general,  be  determined  mechanically. 

Second,  PrivacyLFP  allows  first-order  quantification  over  infinite  domains  (e.g.,  the  set  of  mes¬ 
sages  or  the  set  of  time  points).  For  example,  many  HIPAA  clauses  are  of  the  form 
\/pi,P2,m.(send(pi,p-2,m)  D  (j>)  where  p\  and  p2  are  principals  and  m  is  a  message.  Note  that 
this  formula  quantifies  over  the  infinite  set  of  messages,  so  if  an  enforcement  algorithm  were  to 
blindly  instantiate  the  quantifiers  with  all  possible  values  in  the  domain,  then  it  will  not  terminate. 
However,  only  a  finite  number  of  messages  are  relevant  in  determining  the  truth  value  of  this  for¬ 
mula.  This  is  because  the  number  of  messages  transmitted  from  a  hospital  is  finite  and  hence  the 
predicate  send(pi,p2,m)  is  true  for  only  a  finite  number  of  substitutions  for  the  variable  m  (and 
similarly  for  p\  and  P2).  To  ensure  that  the  number  of  relevant  substitutions  for  every  quantified 
variable  is  finite,  we  use  the  idea  of  mode  checking  from  logic  programming  [4],  and  restrict  the  syn¬ 
tax  of  quantifiers  in  PrivacyLFP  slightly.  The  finite  substitution  property  for  quantified  variables 
over  infinite  domains  is  defined  in  Section  4,  and  ensures  termination  of  our  policy  enforcement 
algorithm.  The  restriction  on  quantification  does  not  significantly  limit  representation  of  HIPAA 
clauses,  a  claim  we  justify  in  Section  6. 

Third,  the  representation  of  one  transmission-related  clause  -  Section  6802(c)  -  of  the  GLBA 
Privacy  Law  forces  PrivacyLFP  to  include  fixpoint  operators.  In  this  paper,  we  do  not  consider 
fixpoints  because  the  representation  of  most  privacy  legislation  including  all  of  HIPAA  does  not 
require  fixpoints.  We  note  that  including  the  least  fixpoint  operator  in  our  algorithm  may  not  be 
difficult,  but  supporting  the  greatest  fixpoint  may  require  a  substantial  effort. 

Audit  logs  Another  significant  challenge  in  mechanical  enforcement  of  privacy  policies  is  that  the 
logs  maintained  by  organizations  may  be  incomplete,  i.e. ,  they  may  not  contain  enough  information 
to  decide  whether  or  not  the  policy  has  been  violated.  For  instance,  in  the  absence  of  human  input, 
a  machine  may  not  be  able  to  decide  whether  any  instance  of  a  predicate  that  refers  to  subjective 
beliefs  is  true  or  not.  Similarly,  we  may  not  be  able  to  predict  whether  a  predicate  holds  in  the 
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future  or  not.  As  an  important  contribution,  we  observe  that  such  possibly  incomplete  logs  can  be 
abstractly  represented  as  three-valued,  partial  structures  that  map  each  atomic  formula  to  either 
true,  false,  or  unknown  [13,  19].  We  define  the  semantics  of  our  logic  over  such  structures.  Further, 
by  designing  our  enforcement  algorithm  to  work  with  partial  structures  in  general,  we  provide  a 
uniform  account  of  policy  enforcement  with  different  forms  of  log  incompleteness. 

We  explicitly  discuss  in  Section  5.2  a  special  case  of  partial  structures  that  are  complete  up  to 
a  point  of  time.  This  instance  corresponds  to  the  standard  model  of  traces  used  in  prior  work  on 
enforcement  of  temporal  privacy  properties  [10].  We  show  that  on  such  structures,  our  algorithm 
yields  a  method  to  find  violations  of  safety  properties  [2]  and  satisfactions  of  co-safety  properties  [11] 
at  the  earliest  possible  time,  as  may  be  expected. 

A  second  important  observation  is  that,  in  practice,  structures  evolve  over  time  by  gathering 
more  information.  We  formalize  this  growth  as  a  natural  order,  C\  >  £2  (structure  C\  extends 
structure  £2),  meaning  that  £1  has  more  information  than  Co-  We  present  a  general  definition  of 
extension  of  partial  structures,  which  encompasses,  in  particular,  notions  of  temporal  (actions  are 
added  to  the  end  of  a  trace)  and  spatial  (distributed  logs  are  merged)  extensions. 

Policy  Enforcement  As  our  central  contribution,  we  propose  an  iterative  process  for  privacy 
policy  enforcement.  At  each  iteration,  our  algorithm  takes  as  inputs  a  structure  £  abstracting  the 
then-current  audit  log  and  a  policy  specification  ip,  verifies  parts  of  the  policy  that  depend  solely 
on  the  given  structure,  and  outputs  a  residual  policy  p'  that  contains  all  the  conditions  that  need 
to  be  verified  when  more  information  becomes  available.  We  write  reduce(£,  ip)  =  <p'  to  denote  one 
iteration  of  our  reduction  algorithm.  The  residual  policy  <p'  is  checked  on  extensions  of  £. 

Our  reduction  algorithm  has  several  desirable  properties  that  we  prove  formally.  First,  the  algo¬ 
rithm  always  terminates.  As  noted  earlier,  the  finite  substitution  property  for  variables  quantified 
over  infinite  domains  is  crucial  for  termination.  Second,  it  is  correct:  given  a  structure  £  and  a 
policy  ip,  any  extension  of  £  satisfies  the  policy  p  if  and  only  if  it  satisfies  the  residual  formula 
ip' .  Third,  it  is  minimal :  the  residual  formula  only  contains  atoms  whose  truth  value  cannot  be 
determined  from  the  structure. 

Our  algorithm  has  been  designed  for  after-the-fact  (a-posteriori)  audit,  not  runtime  verification. 
However,  as  shown  in  Section  5.2,  for  the  specific  case  of  policies  that  do  not  contain  any  subjective 
predicates  or  future  obligations,  the  algorithm  may  be  executed  at  each  privacy-relevant  event  to 
act  as  a  runtime  monitor,  if  all  relevant  past  system  logs  can  be  provided  to  it. 

Application  to  HIPAA  Our  technical  results  have  important  implications  for  enforcing  prac¬ 
tical  privacy  policies,  in  particular,  the  HIPAA  Privacy  Rule.  As  discussed  in  Section  6,  not  only 
can  our  algorithm  be  used  to  automatically  instantiate  all  quantifiers  in  all  84  transmission-related 
clauses  of  HIPAA,  but  it  can  also  automatically  discharge  the  large  percentage  of  non-subjective 
atoms  in  instantiated  clauses.  For  example,  we  estimate  that  in  17  of  the  84  clauses,  all  atoms  can 
be  discharged  automatically,  and  in  24  other  clauses,  at  least  80%  of  the  atoms  can  be  discharged 
automatically. 

Summary  of  Contributions  In  summary,  the  contributions  of  this  paper  are: 

•  An  iterative  algorithm  for  enforcing  policies  represented  in  PrivacyLFP,  a  rich  logic  with 
quantification  over  infinite  domains,  and  formulation  and  proofs  of  the  algorithm’s  properties 
(Section  4) 
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Figure  1:  Timed  First-order  Temporal  Logic  with  Restricted  Quantifiers 


•  Use  of  mode  analysis  from  logic  programming  to  ensure  that  infinite  quantifiers  result  only 
in  a  finite  number  of  relevant  substitutions  (Section  4) 

•  A  formal  model  of  incomplete  audit  logs  as  three-valued  structures  (Section  3) 

Organization  In  Section  2,  we  review  PrivacyLFP  to  the  extent  needed  for  this  paper.  Section  3 
presents  partial  structures  and  defines  the  semantics  of  PrivacyLFP  over  them.  Section  4  presents 
our  policy  enforcement  algorithm  and  its  properties.  Section  5  discusses  the  behavior  of  our  algo¬ 
rithm  on  structures  that  are  complete  and  those  that  are  complete  up  to  a  point  of  time.  In  the 
latter  case,  we  also  present  associated  results  about  enforcement  of  safety  and  co-safety  properties. 
Section  6  describes  how  the  work  in  this  paper  applies  to  the  HIPAA  Privacy  Rule.  Section  7 
provides  a  detailed  comparison  with  related  work  and  Section  8  presents  conclusions  and  directions 
for  future  work. 

2  Policy  Logic 

We  use  PrivacyLFP  [16]  to  represent  policies,  but  restrict  the  syntax  of  first-order  quantifiers  slightly 
to  facilitate  enforcement  and  drop  fixpoint  operators.  PrivacyLFP  consists  of  an  outer  policy  logic 
with  connectives  of  temporal  logic  and  an  inner,  equally  expressive  sublogic  without  connectives 
of  temporal  logic  to  which  the  outer  syntax  is  translated.  Our  enforcement  algorithm  works  only 
with  the  inner  sublogic.  In  this  section  we  review  both  the  outer  syntax  and  the  sublogic,  as  well 
as  the  translation. 

2.1  Syntax  of  the  Policy  Logic 

The  syntax  of  our  policy  logic  is  shown  in  Figure  1.  We  distinguish  two  classes  of  predicate  symbols: 
1)  objective  predicates ,  denoted  po ,  that  can  be  decided  automatically  using  information  from  logs 
or  using  constraint  solvers  and  2)  subjective  predicates ,  denoted  ps,  that  require  human  input  to 
resolve.  Both  classes  of  predicates  are  illustrated  in  examples  later.  An  atom  is  a  predicate  applied 
to  a  list  of  terms  (terms  are  denoted  t).  Based  on  the  class  of  its  predicate,  an  atom  is  also  classified 
as  either  objective  or  subjective,  written  Pq  and  Ps,  respectively. 


4 


Propositional  connectives  T  (true),  _L  (false),  A  (conjunction),  V  (disjunction),  and  -i  (negation) 
have  their  usual  meanings.  Anticipating  the  requirements  of  the  enforcement  algorithm  of  Section  4, 
first-order  quantifiers  Vx.(c  D  a)  and  3x.(c  A  a)  in  the  logic  are  forced  to  include  a  formula  c  called 
a  restriction.  By  definition,  Vx.(c  D  a)  is  true  iff  all  instances  of  x  that  satisfy  c,  also  satisfy 
a.  (3x.(c  A  a)  has  a  similar  definition.)  To  make  enforcement  tractable,  we  require  that  the  set 
of  instances  of  x  satisfying  c  be  computable.  This  is  ensured  by  limiting  c  to  a  reduced  class  of 
formulas  that,  in  particular,  excludes  subjective  predicates  (see  the  syntax  of  c  in  Figure  1),  and 
through  a  static  analysis  that  we  describe  in  Section  4. 

Further,  our  logic  includes  standard  connectives  of  linear  temporal  logic  (LTL)  [23]  that  provide 
quantification  over  the  sequence  of  states  in  a  system,  relative  to  a  current  state:  a  S  j5  (/3  holds 
at  some  state  in  the  past  and  a  holds  since  then) ,  a  U  (3  (/3  holds  at  some  state  in  the  future  and 
a  holds  until  then),  E ]a  (a  holds  at  all  states  in  the  past)  and  (a  holds  at  all  states  in  the 
future).  Other  temporal  operators  can  be  defined,  e.g.,  <$>a  =  TSa(ct  holds  at  some  state  in  the 
past)  and  =  TU a  (a  holds  at  some  state  in  the  future). 

Finally,  to  represent  clock  time,  which  often  occurs  in  privacy  policies,  we  assume  that  each 
state  of  a  system  has  a  time  point  associated  with  it.  Time  points,  denoted  r,  are  elements  of 
T  =  {xGR|x>0}U  {oo}.  They  measure  clock  time  elapsed  from  a  fixed  reference  point  and 
order  states  linearly.  Relations  between  time  points  are  captured  in  logical  formulas  using  the  freeze 
quantifier  fx.a  of  timed  propositional  temporal  logic  (TPTL)  [3],  which  means  “a  holds  with  the 
current  time  bound  to  x.”  (Examples  below  illustrate  the  quantifier.)  Since  we  have  no  occasion 
to  reason  explicitly  about  states,  we  identify  a  state  with  the  time  point  associated  with  it,  and 
use  the  letter  r  and  any  of  the  terms  “state”,  “time  point”,  “time”,  and  “point”  to  refer  to  both 
states  and  time  points.  We  make  the  assumption  that  on  any  trace  there  are  only  finitely  many 
time  points  between  two  given  finite  time  points. 

We  illustrate  the  syntax  of  our  logic  through  two  examples  that  are  based  on  the  formalization 
of  HIPAA  in  PrivacyLFP.  These  examples  are  also  used  later  in  the  paper. 

Example  2.1.  As  a  first  example,  we  represent  in  our  logic  the  following  policy  about  disclosure 
(transmission)  of  health  information  from  one  entity  (e.g.,  a  hospital  or  doctor)  to  another. 

An  entity  may  send  an  individual’s  protected  health  information  (phi)  to  another  entity 
only  if  the  receiving  entity  is  the  patient’s  doctor  and  the  purpose  of  the  transmission 
is  treatment,  or  the  individual  has  previously  consented  to  the  transmission. 

Our  formalization  assumes  that  each  transmitted  message  m  is  tagged  by  the  sender  (in  a 
machine-readable  format)  with  the  names  of  individuals  whose  information  it  carries  as  well  the 
attributes  of  information  it  carries  (attributes  include  “address” ,  “social  security  number” ,  “medi¬ 
cations”,  “medical  history”,  etc.).  The  predicate  tagged (m,q,t)  means  that  message  m  is  tagged 
as  carrying  individual  q1  s  attribute  t.  Tagging  may  or  may  not  reflect  accurately  the  content  of  the 
message.  Similarly,  we  assume  that  each  message  m  is  labeled  in  a  machine  readable  format  with  a 
purpose  u  (e.g.,  “treatment”,  “healthcare”,  etc.).  This  is  represented  by  the  predicate  purp(m, u). 
Because  we  assume  that  name  and  attribute  tags  as  well  as  purpose  labels  are  machine  readable, 
both  tagged  and  purp  are  objective  predicates  -  their  truth  or  falsity  can  be  checked  using  a 
program. 

Attributes  are  assumed  to  have  a  hierarchy,  e.g.,  the  attribute  “medications”  is  contained 
in  “medical  history”.  This  is  formalized  as  the  predicate  attr_in(medications, medical- history) . 
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We  assume  that  the  hierarchy  can  be  mechanically  checked,  so  attr.in  is  an  objective  predi¬ 
cate.  The  predicate  purp_in(u,  u')  means  that  purpose  u  is  a  special  case  of  purpose  u',  e.g., 
purp_in(surgery,  treatment).  In  contrast  to  attributes,  we  assume  that  the  purpose  hierarchy  can¬ 
not  be  computed,  so  purp_in  is  a  subjective  predicate.  In  an  enforcement  system,  it  must  be 
checked  through  human  input. 

Finally,  each  action  or  fact  that  can  be  recorded  in  a  system  log  (such  as  sending  a  message 
or  that  Alice  is  in  role  doctor)  is  represented  as  an  objective  predicate.  For  this  example  we  need 
three  objective  predicates:  send(pi,p2>  m)  meaning  that  entity  p\  sends  message  m  to  entity  P2, 
consents(q,  a)  which  means  that  individual  q  consents  to  the  action  a,  and  inrole(p,  r)  which 
means  that  principal  p  is  in  role  r.  Here,  the  only  action  consented  to  is  sendaction(pi,p2;  (<L  t)), 
which  corresponds  to  p±  sending  to  P2  a  message  containing  information  about  q' s  attribute  t. 

The  above  policy  can  be  formalized  in  our  logic  as  follows. 


f-*pol  1 

Vpi,P2,m,u,q,t.  (send(pi,p2,m)  A  purp(m,  u)  A 

tagged (m,q,t)  A  attr_in (t,phi)) 

D  (inrole(p»2,  doc(g))  A  purp_in(u,  treatment )) 

V  <3>consents(q,  sendaction(pi,p2>  (<?,  t))) 

In  words,  if  entity  p\  sends  to  entity  p2  a  message  m,  m  is  tagged  as  carrying  attribute  t 
of  individual  q,  where  t  is  a  form  of  phi  (protected  health  information),  and  m  is  labeled  with 
purpose  u,  then  either  p2  (the  recipient)  is  a  doctor  of  q  (atom  inrole(p2,  doc(q)))  and  u  is  a 
type  of  treatment,  or  q  has  consented  to  this  transmission  in  the  past  (last  line  of  apoii).  The 
temporal  operator  <3>  is  used  to  indicate  that  the  consent  may  have  been  given  by  q  in  some  earlier 
state.  Also,  the  universal  quantifier  in  the  formula  above  carries  a  restriction  (send(pi,p2> m)  A 
purp(m,  u)  A  tagged (m,q,t)  A  attr_in(£,  phi)),  as  required  by  our  syntax.  The  technical  reason 
for  including  restrictions  is  explained  in  Section  4. 

Example  2.2.  Our  next  example  is  a  policy  governing  entity  response  to  an  individual’s  request 
for  her  own  information. 

If  an  individual  requests  her  information  from  an  entity,  then  some  administrator  in  the 
records  department  of  the  entity  must  respond  to  the  individual  at  the  earliest  feasible 
time,  but  not  later  than  30  days  after  the  request. 

To  represent  this  policy  we  need  one  more  objective  predicate,  req (p,t),  which  means  that 
individual  p  requests  information  about  attribute  t  from  her  record.  Further,  we  need  two  new  sub¬ 
jective  predicates:  contains(m,  q,  t)  (message  m  contains  attribute  t  of  individual  q)  and  ftr (p,t) 
(it  is  feasible  to  respond  to  individual  p  with  attribute  t  at  the  current  time).  The  latter  clearly 
requires  human  input  to  resolve,  because  “feasibility”  cannot  be  defined  mechanically,  while  the  for¬ 
mer  requires  human  input  because  we  assume  that  message  payloads  may  contain  natural  language 
text. 

The  logical  specification  of  this  policy  is  shown  below: 


aPoi2  — 


lr.Vp,t.  req (p,  t ) 

D  -.ftr (p,t) 

U  It'.  in(r/,  r,  r  +  30) 
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A  3q,m.  ( inrole (g,  records)  A  send (q,p,m)  A 
contains(m,p,  t )) 

The  top-most  quantifier  binds  r  to  the  time  at  which  a  request  occurs  and,  similarly,  \.t' 
binds  t'  to  the  time  at  which  a  response  is  sent.  in(r/,  r,  r  +  30),  formally  explained  in  Section  2.2, 
implies  that  r'  <  r  +  30,  thus  enforcing  the  constraint  that  the  response  be  sent  within  30  days  of 
the  request,  as  required  by  the  policy.  The  until  operator  U  is  used  to  include  the  obligation  that 
it  be  infeasible  to  respond  until  the  response  is  actually  sent. 


2.2  Translation  to  a  Smaller  Syntax 

Policies  expressed  in  PrivacyLFP’s  outer  syntax  can  be  translated  into  a  smaller  sublogic  without 
temporal  connectives  and  negation.  This  smaller  syntax  of  formulas  p,  ip  of  the  sublogic  is  shown 
below.  Other  syntactic  categories  such  as  restrictions  c  are  not  changed. 

Formulas  p  ::=  Po  \  Ps  |  T  |  T  |  p\  A  p2  \  Pi  V  pi  \ 

Vx.(c  D  p)  |  3x.{c  A  p) 

We  surmount  the  absence  of  negation  in  the  sublogic  by  defining  for  each  formula  p  a  dual  p 
that  behaves  exactly  as  ~>p  would.  For  defining  duals  of  atoms,  we  assume  that  each  predicate  p 
has  a  dual  p  such  that  p(t±, . . . ,  tn)  is  true  iff  p(t\, . . . ,  tn)  is  false  (the  relation  between  p  and  p  is 
formalized  in  Section  3).  We  define  p  by  induction  on  p,  as  in  the  representative  clauses  below  (for 
the  remaining  clauses  see  Appendix  A). 


PO  (^1 1  •  •  •  i  tn) 
p  A  ip 
Vx.(c  D  p) 
3x.(c  A  p) 


Po(tl,  •  ■  ■  j  tn) 
Tp  V  ip 
3x.(c  A  p) 
Vx.(c  D  p) 


Temporal  connectives  are  translated  to  the  sublogic  by  making  time  points  (states)  and  the 
ordering  relation  between  them  explicit  in  first-order  formulas  in  a  standard  way  (see  [16]).  Briefly, 
we  assume  that  for  every  predicate  symbol  in  the  logic  there  is  a  predicate  of  the  same  name 
in  the  sublogic,  but  with  one  extra  argument  of  type  time:  p(t±, . . .  ,tn,r)  in  the  sublogic  means 
that  p{t\, . . .  ,tn)  holds  at  time  r  in  the  logic.  Further,  assume  that  the  new  objective  predicate 
in(r, ti,T2)  means  that  t  is  an  observed  time  point  (in  the  trace  of  interpretation)  satisfying 
7~i  <  r  <  T2-  Finally,  let  z\t/x\  denote  the  result  of  substituting  the  terms  t  for  variables  x  in  the 
syntactic  entity  E.  Then,  representative  clauses  of  the  translation  (•)r  of  restrictions  and  formulas 
of  the  logic  to  those  of  the  sublogic,  indexed  by  a  “current  time”  r,  are  shown  below  (the  full 
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translation  is  shown  in  Appendix  A): 


■  ■  ■  ,tn)Y 
(. Ps(h ,  ■  ■  ■  ,tn))T 
(-«)T 

(Vx.(c  D  a))T 
(|x.a)T 
(«S/3)T 


(«U/3)T 


Po(h,  ■  •  • ,  tn ,  t ) 

(«)r 

Vx.((c)T  D  (a)T) 

(a[r/x])T 

3r,.(in(r/,  0,  r)  A  (/3)t/ 

A  (Vr,,.((in(r", r', r)  At'  /  t") 

D(«r"))) 

3r/.(in(r/,  r,  oo)  A  (/3)T, 
A(Vr,,.((in(r,,;r,r')  At"/t') 
D  (a)7-"))) 


We  briefly  explain  some  of  the  clauses  of  the  translation.  In  Q, x.a)T ,  x  binds  to  the  current 
time,  which  is  r;  therefore,  r  substitutes  x  in  a  in  the  translation,  a  S  /3  means  that  /3  is  true 
at  some  time  point  in  the  past,  which  is  captured  by  the  existentially  quantified  variable  t'  in 
the  translation,  and  the  restriction  that  in(r7,0,r).  Further,  a  should  be  true  at  all  time  points 
between  t'  and  now  (r);  this  is  encoded  as  VT//.((in(r//,  r',  r)  A  t"  /  t')  D  (a)r  ). 

Example  2.3.  In  Section  2.1  we  presented  two  sample  policies,  apon  and  apoi2 ■  In  general,  we 
may  wish  to  enforce  each  of  these  policies  in  each  state.  To  express  the  phrase  “in  each  state”, 
we  define  an  abbreviation:  Ga  =  Vr.(in(r, 0, oo)  D  (a)r),  which  means  that  a  holds  at  each  time 
point  r.  Then,  using  the  translation  above  and  simplifying  slightly,  we  get: 


G  o.poi  i  — 

VT,p1,p2,m,u,q,t. 

(in(r,  0,  oo)  A  send(pi,p2,m,  r)  A  purp(m,  u ,  r)  A 
tagged (m,  g,  t,  t)  A  attr_in(t,  phi,  r)) 

D  ((inrole(p2,  doc(g),  r)  A 

purp_in(tt,  treatment,  r))  V 
(3r'.  (in(V,  0,  r)  A 

consents(g,  sendaction(pi,p2>  ( q,  t)),  r')))) 


Gapoi2  — 

\/r,p,t.  (in(r,  0,oo)  A  req (p,  t,r)) 

D  3r',  q,  m. 

((in(r/,  r,  r  +  30)  A  inrole(g,  records,  r7)  A 
send (q,p,m,Tr))  A  contains(?n,p, t,r7)  A 
Vt".  (in(r77,  r,  r7)  A  t"  /  r7) 

D  ftr(p,  t,  t")) 

Note  that  all  atoms,  except  those  like  in(. . .)  and  t"  ^  r7  that  are  introduced  by  the  translation 
itself,  have  a  new  last  argument,  which  is  a  time  point.  For  certain  predicates  like  tagged,  attrvin 
and  purp.in,  whose  truth  is  independent  of  time,  this  last  argument  is  redundant.  For  instance,  if 
attr_in(f,  t7,  r)  for  some  r,  then  attr_in(t,  f7,  r7)  for  all  r7. 


3  Partial  Structures  and  Semantics 


Next,  we  define  partial  structures,  an  abstraction  of  audit  logs  over  which  our  enforcement  algorithm 
(Section  4)  works.  We  call  our  structures  partial  because  they  do  not  necessarily  stipulate  the  truth 
or  falsity  of  every  atom,  thus  accurately  reflecting  the  fact  that  audit  logs  may  be  incomplete  in 
practice.  We  also  illustrate,  by  virtue  of  example,  various  kinds  of  audit  log  incompleteness  that 
our  partial  structures  generalize.  Finally,  we  define  the  semantics  (meanings)  of  formulas  of  the 
sublogic  on  partial  structures.  This  definition  is  used  in  Section  4  to  state  the  correctness  of  our 
enforcement  mechanism.  Partial  structures  have  been  used,  both  explicitly  and  implicitly,  in  prior 
work  on  policy  enforcement;  we  compare  to  such  work  in  Section  7. 

A  partial  structure  (abbrev.  structure)  is  a  pair  £  =  (Dc,Pc)i  where  D £,  the  domain,  is  a  set 
of  terms  containing  at  least  all  possible  time  points  T,  and  pc  is  a  total  function  from  ground 
(variable-free)  atoms  of  the  logic  to  the  three-value  set  {tt,ff,uu}.  We  say  that  the  atom  P  is 
true,  false,  or  unknown  in  the  structure  £  if  pc{P)  is  tt,  ff,  or  uu,  respectively.  In  practice,  the 
structure  £  may  be  defined  using  system  logs  (hence  the  notation  £),  whence,  would  be  the  set 
of  all  terms  (roles,  principals,  messages,  attributes,  time  points,  etc.)  occurring  in  the  logs  and  for 
every  subjective  atom  Pg,  pc(Ps)  would  be  uu. 

The  semantics  of  our  sublogic  lift  the  definition  of  truth  to  formulas  p  by  induction  on  p:  we 
write  £  |=  p  to  mean  that  11  p  is  true  in  the  structure  £” .  Restrictions  c  are  a  subsyntax  of  formulas 
p,  so  we  do  not  define  the  relation  separately  for  them. 


-  £ 
-  £ 
-  £ 
-  £ 
-  £ 
-  £ 


|=  P  iff  Pc(P)  =  tt 
(=  T 

|=  p  A  if  iff  £  |=  p  and  £  |=  if 
|=  p  V  if  iff  £  |=  P  °r  £  |=  if 

|=  Vif.(c  D  p)  iff  for  all  t  E  either  £  |=  c[t/x\  or  £  |=  p[t/x] 

|=  3x.(c  A  p)  iff  there  exists  t  E  T>c  such  that  £  |=  c[t/x\  and  £  |=  p[t/x\ 


For  dual  atoms,  we  define  pc{P)  =  Pc{P)i  where  tt  =  ff ,  ff  =  tt,  and  uu  =  uu.  We  say  that 
a  formula  p  is  false  on  the  structure  £  if  £  |=  p.  The  following  two  properties  hold: 


1.  Consistency:  A  formula  p  cannot  be  simultaneously  true  and  false  in  the  structure  £,  i.e., 
either  £  \f=  p  or  £  p 


2.  Incompleteness:  A  formula  p  may  be  neither  true  nor  false  in  a  structure  £,  i.e.,  £  |^=  p  and 
C\f=p  may  both  hold. 

The  first  property  follows  by  induction  on  p.  The  second  property  follows  from  a  simple  example. 
Consider  a  structure  £  and  an  atom  P  such  that  pc{P)  =  uu.  Then,  £  |^=  P  and  £  \f=  P. 


Incompleteness  in  Practice  We  list  below  several  ways  in  which  system  logs  may  be  incomplete, 
and  describe  how  each  can  be  modeled  in  partial  structures  by  varying  the  definition  of  pc- 

•  Subjective  incompleteness:  An  audit  log  may  not  contain  information  about  subjective  predi¬ 
cates.  This  may  be  modeled  by  requiring  that  pc{Ps)  =  uu  for  every  subjective  atom  Pg.  We 
revisit  subjective  incompleteness  in  the  context  of  our  enforcement  algorithm  in  Section  5.1. 
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•  Future  incompleteness:  An  audit  log  may  not  contain  information  about  the  future,  which 
is  necessary  to  enforce  policies  like  that  in  Example  2.2.  This  may  be  modeled  by  assuming 
that  for  each  time  t  greater  than  the  last  point  observed  in  £,  and  for  all  p, 

Pc(p(ti,  ■  ■  ■ ,  tn,  t))  =  uu.  (Recall  that  in  our  translation  of  the  outer  logic,  the  last  argument 
r  is  the  time  at  which  the  predicate’s  truth  is  tested.)  We  revisit  future  incompleteness  in 
the  context  of  our  enforcement  algorithm  in  Section  5.2. 

•  Spatial  incompleteness:  An  audit  log  may  not  record  all  predicates.  For  instance,  with 
reference  to  Example  2.1,  it  is  conceivable  that  the  predicates  send  and  inrole  are  stored 
on  separate  sites.  If  we  audit  at  the  first  site,  information  about  inrole  may  be  unavailable. 
Such  incompleteness  is  easily  modeled  like  subjective  incompleteness.  For  instance,  we  may 
assume  that  p£(inrole(p,  r,  r))  =  uu  for  all  p,r,r. 

•  Past  incompleteness:  An  audit  log  may  not  record  the  existence  of  certain  relevant  states, 
even  those  in  the  past.  This  has  implications  for  enforcing  temporal  operators,  e.g.,  we  may 
be  unable  to  check  that  0a  simply  because  we  cannot  determine  what  states  existed  in  the 
past.  This  form  of  incompleteness  can  be  formally  modeled  by  assuming  that  if  a  time  point 
r  does  not  occur  in  an  audit  log  £,  then  p£(in(r,  r7,  t"))  =  uu.  In  the  special  case  where  it 
is  certain  that  the  time  point  t  does  not  exist ,  we  would  have  /9£(in(r,  r',  t"))  =  ff. 

Our  enforcement  algorithm  (Section  4)  works  with  partial  structures  in  general  and,  hence, 
takes  into  account  all  these  forms  of  incompleteness.  We  comment  on  some  specific  instances  in 
Section  5. 

Structure  Extension  In  practice,  system  logs  evolve  over  time  by  gathering  more  information. 
This  leads  to  a  natural  order,  C\  >  £2  on  structures  (£1  extends  £2),  meaning  that  C\  has  more 
information  than  £2.  Formally,  £1  >  £2  iff  D £x  D  D£2  and  for  all  ground  atoms  P,  pc2{P)  £ 
{tt,ff}  implies  pc^P)  =  pc2(P)-  Thus,  as  structures  extend,  the  valuation  of  an  atom  may 
change  from  uu  to  either  tt  or  ff,  but  cannot  change  once  it  is  either  tt  or  ff.  The  following 
property  follows  by  induction  on  p: 

•  Monotonicity:  C\  >  £2  and  £2  |=  p  imply  C\  \=  p. 

Replacing  p  with  p,  we  also  obtain  that  C\  >  £2  and  £2  |=  p  imply  £1  |=  p.  Hence,  if  C\  >  £2 
then  £1  preserves  both  the  £2-truth  and  £2-falsity  of  every  formula  p. 

In  the  next  section,  we  use  this  order  between  structures  to  both  explain  and  prove  formal 
properties  of  our  enforcement  algorithm. 

4  Policy  Enforcement 

Our  main  technical  contribution  is  an  iterative  process  for  enforcing  policies  written  in  the  sublogic. 
Through  the  translation  of  Section  2.2,  the  same  process  applies  to  policies  written  in  the  entire 
policy  logic.  At  each  iteration,  our  algorithm  takes  as  input  a  policy  p  and  the  available  audit 
log  abstracted  as  a  partial  structure  £,  and  outputs  a  residual  policy  -0  that  contains  exactly  the 
parts  of  p  that  could  not  be  verified  due  to  lack  of  information  in  £.  Such  an  iteration  is  written 
reduce(£,  p)  =  ifj.  In  practice,  i/j  may  contain  subjective  predicates  and  future  obligations.  Once 
more  information  becomes  available,  extending  £  to  £  {£  >  £),  another  iteration  of  the  algorithm 
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can  be  used  with  inputs  ip  and  £  to  obtain  a  new  formula  ip' .  This  process  can  be  continued  till  a 
formula  trivially  equivalent  to  T  or  _L  is  obtained,  or  the  truth  or  falsity  of  the  remaining  formula 
is  decided  by  human  intervention.  By  design,  our  algorithm  satisfies  three  important  properties: 

•  Termination:  Each  iteration  terminates. 

•  Correctness:  If  reduce(£,  p )  =  ip,  then  for  all  extensions  £  of  C,  £  \=  p  iff  £  \=  ip ■ 

•  Minimality:  If  reduce(£,  p)  =  ip,  then  an  atom  occurs  in  ip  only  if  it  occurs  in  p  and  its 

valuation  on  L  is  uu. 

The  technically  difficult  part  of  the  algorithm  is  its  treatment  of  quantifiers  Vx.p  and  3x.p  in 
the  input.  Indeed,  for  propositional  logic  (logic  without  quantifiers),  an  algorithm  satisfying  the 
three  properties  above  can  be  constructed  trivially:  define  reduce(£,  p)  to  be  the  formula  obtained 
by  replacing  each  atom  P  in  (p  with  T  if  pc(P )  =  tt,  with  _L  if  pc(P)  =  ff ,  and  with  P  itself  if 

pc{P)  =  uu.  This  algorithm  terminates  because  formulas  are  finite,  its  correctness  can  be  proved 

by  a  simple  induction  on  p,  and  minimality  is  obvious  from  the  definition  of  reduce. 

However,  as  the  reader  may  already  anticipate,  this  simple  idea  does  not  extend  to  quantifiers. 
Consider,  for  instance,  the  behavior  of  the  algorithm  on  inputs  Vx.p  and  £.  Because  the  output  must 
be  minimal,  in  order  to  reduce  Vx.p,  the  algorithm  must  instantiate  x  with  each  possible  element 
of  the  domain  and  check  the  truth  or  falsity  of  p  for  that  instance  on  C.  This  immediately 
leads  to  non-termination  because  in  models  of  realistic  privacy  policies  the  domain  must  be 
infinite,  e.g.,  permissible  time  points  and  transmitted  messages  (which  may  contain  free-text  in 
natural  language)  are  both  infinite  sets. 

Given  the  need  for  an  infinite  domain,  something  intrinsic  in  p  must  limit  the  number  of  relevant 
instances  of  x  that  need  to  be  checked  to  a  finite  number.  This  is  precisely  what  our  restricted  form 
of  universal  quantification,  Vx.(c  D  p),  accomplishes.  Through  syntactic  restrictions  of  Figure  1 
and  other  static  checks  described  later,  we  ensure  that  there  are  only  a  finite  number  of  instances 
of  x  for  which  c  is  true  on  the  given  structure  C.  Further,  all  such  instances  can  be  mechanically 
computed  from  C.  Although  fulfilling  these  requirements  is  non-trivial,  given  that  they  hold,  the 
rest  of  the  algorithm  is  natural  and  syntax-directed. 

Briefly,  our  enforcement  regime  contains  the  following  components: 

•  An  efficiently  checkable  relation  b  p  on  policies,  called  a  mode  analysis  (borrowing  the  term 
from  logic  programming  [4]),  which  ensures  that  the  relevant  instances  of  each  quantified 
variable  in  p  are  finite  and  computable. 

•  A  function  sat(£,  c)  that  computes  all  satisfying  instances  of  the  restriction  c. 

•  The  function  reduce(£,  p)  that  codifies  a  single  iteration  of  enforcement.  The  definition  of 
reduce(£,<^)  relies  on  sat(£,c)  and  assumes  that  b  p. 

In  the  following,  we  explain  each  of  these  three  components,  starting  with  the  main  algorithm 
reduce  (Section  4.1).  After  proving  its  correctness  and  minimality  (Section  4.2),  we  proceed  to 
define  sat  and  the  relation  b  p  (Section  4.3). 
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4.1  Iterative  Enforcement  Algorithm 

The  core  of  our  enforcement  regime  is  a  computable  function  reduce(£,  p)  =  if,  that  discharges 
obligations  from  the  prevalent  policy  p  using  information  from  the  extant  structure  £  to  obtain  a 
residual  policy  if.  Given  an  initial  policy  po  and  a  sequence  of  structures  C\  <  Co  <  . . .  <  Cn,  the 

reduction  algorithm  can  be  applied  repeatedly  to  obtain  p±, ...  ,pn  such  that  reduce(£j,  Pi-i)  =  Pi- 

c. 

We  write  this  process  in  symbols  as  po  —A  p\  . . .  <pn.  Correctness  (Theorem  4.2)  guarantees 
that  pn  is  equivalent  to  po  in  all  extensions  of  £n,  while  minimality  (Theorem  4.3)  certifies  that 
pn  contains  only  those  atoms  of  po  that  could  not  be  discharged  using  the  information  in  £„ 
(by  definition,  Cn  subsumes  the  information  in  C\, . . . ,  £n_i).  We  note  that  our  correctness  and 
minimality  results  are  independent  of  the  frequency  or  scheme  used  for  application  of  reduce. 

The  definition  of  reduce(£,  p)  has  two  dependencies,  whose  formal  definitions  are  postponed 
to  Section  4.3.  First,  the  function  assumes  that  its  input  p  is  well-moded,  formally  written  b  p. 
Well-modedness  is  a  static  check,  linear  in  the  size  of  p,  which  ensures  that  the  satisfying  instances 
of  each  restriction  c  in  each  quantifier  in  p  are  finite  and  computable.  Second,  reduce(£,  p)  assumes 
a  function  sat(£,c)  that  computes  all  satisfying  instances  of  restriction  c  in  structure  £.  The 
output  of  sat(£,  c)  is  a  finite  set  of  substitutions  {a\, . . . ,  an},  where  each  substitution  cq  is  a  finite 
map  from  free  variables  of  c  to  ground  terms.  sat(£,c)  satisfies  the  following  condition:  C  \=  ca 
iff  a  £  sat(£,  c). 

The  function  reduce(£,  p)  is  defined  by  induction  on  p  in  Figure  2.  For  atoms  P,  reduce(£,P) 
equals  T,  _L,  or  P,  according  to  whether  pc(P)  equals  tt,  ff ,  or  uu.  In  particular,  in  the  absence 
of  human  input  pc(Ps)  =  uu  f°r  a  subjective  atom  P$  and  hence,  in  the  absence  of  human  input, 
reduce(£,  Ps)  =  Ps ■  The  clauses  for  the  connectives  T,  _L,  A,  and  V  are  straightforward.  To  evaluate 
reduce(£,  Vx.(c  D  p)),  we  first  determine  the  set  of  instances  of  x  that  satisfy  c  by  calling  sat(£,  c). 
For  each  such  instance  ti, . . . ,  tn,  we  reduce  p[ti/x]  to  ifi  through  a  recursive  call  to  reduce.  Because 
all  instances  of  p  must  hold  in  order  for  Va?.(c  D  p)  to  be  true,  the  output  is  if±  A  . . .  A  ifn  A  if' , 
where  the  last  conjunct  if'  records  the  fact  that  instances  of  x  other  than  ti,...,tn  have  not  been 
considered.  The  latter  is  necessary  because  there  may  be  instances  of  x  satisfying  c  in  extensions  of 
£,  but  not  £  itself.  Precisely,  we  define  S  =  {t\, ,  tn}  and  if'  =  Vx.((c  A  x  fL  S)  D  p).  The  new 
conjunct  x  0  S  prevents  the  instances  t\, . . . ,  tn  from  being  checked  again  in  subsequent  iterations. 
Formally,  x  fL  S  is  an  objective  predicate  that  encodes  the  negation  of  usual  finite-set  membership. 
The  treatment  of  3x.(c  A  p)  is  dual;  in  that  case,  the  output  contains  disjunctions  because  the 
truth  of  any  one  instance  of  p  suffices  for  the  formula  to  hold. 

Example  4.1.  We  illustrate  iterative  enforcement  on  the  policy  po  =  Gapoi2  that  we  obtained 
via  translation  in  Example  2.3.  The  policy  requires  that  the  recipient  of  a  request  for  information 
respond  within  30  days  with  the  information.  We  advise  the  reader  to  revisit  the  example  for  the 
definition  of  p®.  For  the  purpose  of  explanation,  let  us  define  p(r,p,t )  by  pattern  matching  to  be 
the  formula  satisfying  po  =  Vr,p,  t.  (in(r,  0,oo)  A  req (p,t,r))  D  p(r,p,t).  Informally,  p(r,p,t )  is 
the  obligation  that  must  be  satisfied  if  principal  p  requests  information  about  attribute  t  from  her 
record  at  time  r. 

Suppose  that  we  first  run  reduce(£,  po)  in  a  structure  £  which  has  the  states  1,3,7,  only  one 
request  —  Alice’s  request  for  her  medical  record  (attribute  mr )  at  time  3,  and  no  other  infor¬ 
mation.  Intuitively,  this  information  implies  that  sat(£,  in(r,  0,  oo)  A  req(p,  i,  r))  =  {(r,p,t)  i— > 

(3,  Alice,  mr)}.  (We  check  formally  in  Example  4.6  that  this  is  actually  the  case.)  Hence,  by  the  defi¬ 
nition  of  reduce,  we  know  that  reduce(£,  po )  =  if\/\  p'0l  where  if\  =  reduce(£,  <^[(3,  Alice,  mr) / (r, p.  f)]) 


12 


reduce(£,  P) 

(T  ifp£(P)=tt 
=  <  T  if  pc{P)  =  ff 

reduce(£,  T) 

{  P  if  pc(P)  =  uu 

=  T 

reduce(£,  _L) 

=  T 

reduce(£,  p\  A  <^2) 

=  reduce(£,  9?i)  A  reduce(£,  <^2) 

reduce(£,  p\  V  <^2) 

=  reduce(£,  <pi)  V  reduce(£,  p^) 

reduce(£,  Vr.(c  D  p)) 

=  let 

reduce(£,  3x.(c  A  ip)) 

{<7i, ...,<rn}  A-  sat(£,c) 

{ti  A- 

S  A~  {t\,  .  .  .  ,  tn} 

{ipi  A-  reduce(£,<p[£/f])}f=1 
tp'  A-  Vr.((c  A  x  0  S)  D  p) 
return 

ipi  A  ...  A  ipn  A  ip1 

=  let 

Figure  2: 

{(Ti,  ...,an}  A-  sat (£,c) 

{ti  A-  cri(x)yp=j 

S  A-  {t\ ,  .  .  .  , tn } 

{ipi  A-  reduce(£,  p[ti/x])}?=1 
ip'  A-  3x.((c  A  x  0  S)  A  p) 
return 

tpi  V  . . .  V  ipn  V  ip' 

Definition  of  reduce(£,  p) 

and  </3g  =  Vr,p,  f.  (in(r,  0,oo)  A  req(p,  t,r)  A  (r,p,t)  0  {(3,  Alice,  mr)})  D  tp(r,p,t).  The  reader 
may  check  that  because  the  trace  has  no  other  information,  ip\  =  </?[(3,  Alice, mr)/(r,  p,  f)],  so  the 
output  of  the  reduction  is  tp\  A  <p'0.  Expansion  of  the  formula  ipi  shows  that  it  is  precisely  the 
obligation  that  the  recipient  respond  to  Alice  with  her  medical  record  in  30  days.  Call  this  entire 
output  lf\. 

Consider  a  second  round  of  audit  on  the  reduced  policy  p\  and  an  extended  trace  £7  which  has 
the  additional  state  11  in  which  Bob,  in  role  “records”,  responds  with  a  message  M  to  Alice.  Since 
ipi  =  ipi  A  ip'0,  we  have  reduce(£7,  ip\)  =  reduce(£7,  ipi)  A  reduce(£7,  p’0).  The  reader  may  check 
that  reduce(£7,  p'0)  =  <p'0  because  the  top-level  restriction  in  p'0  has  no  satisfying  instance  in  £ . 
Thus,  we  consider  here  the  reduction  of  ip\.  Note  that  ipi  has  the  form  3t'  ,q,m.  ((in(r7, 3, 33)  A 
inrole(q,  records,  r7)  A  send(g,  Alice,  m,  r7))  A  p'(r' ,  q,  m )).  To  calculate  its  reduction,  we  first  ob¬ 
serve  that  from  the  information  in  £ ,  it  should  follow  that  sat(£7,  in(r7,  3,  33)  A  inrole(g,  records,  r')  A 
send(q,  Alice,  m,  r7))  =  {(r7,  q,  m )  H >  (11,  Bob,  M)}.  (Again,  we  check  formally  in  Example  4.6  that 
this  is  the  case.)  Consequently,  reduce(£7,  i/h)  =  ip[  V  p>\ ,  where  ip\  =  reduce(£7,  <p7(ll,  Bob,  M)) 
and  ip>i  =  3T’,q,m.  ((in(T7,  3,  33)  A  inrole (q,  records,  r7)  A  send(g,  Alice,  m,  r7)  A  (r',q,  m)  ^ 
{(11,  Bob,  M)})  A  p1  (r7 ,  q,m)).  We  calculate  ip\  below.  The  second  disjunct  p\  simply  means  that 
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the  policy  is  satisfied  if  at  some  point  other  than  11  (but  before  33),  someone  in  role  “records” 
sends  Alice’s  mr  to  her. 

What  is  ip[  =  reduce(£',  </?'(ll,  Bob,  M))?  Expanding  ip',  we  have  y/(ll,  Bob,  M)  = 
contains(M,  Alice,  mr,  11)  A  ip2,  where  ip2  =  Vt".  (in(r//,  3, 11)  A  t"  ^  11)  D  ftr(Alice,  mr,  t"). 
Because  contains  is  a  subjective  predicate,  p£/(contains(M,  Alice,  mr,  11))  =  uu  so,  by  definition, 
reduce(£7,  contains(M,  Alice,  mr,  11))  =  contains(M,  Alice,  mr,  11).  Hence,  if  reduce(£',  ^)  = 
ip 2,  then  ip[  =  contains (M,  Alice,  mr,  11)  A  ip2. 

To  compute  ip2,  we  note  that  sat(£',  in(r",  3, 11)  A  r"  ^  11)  =  {r"  i->-  3 ,r"  i->-  7}.  It 
follows  that  reduce(£7,  ip2)  =  ip'2  =  ftr(Alice,  mr,  3)  A  ftr(Alice,  mr,  7)  A  ip2  ,  where  ip2  = 
Vt".  (in(r//,  3, 11)  A  t"  ^  11  A  t"  0  {3,7})  D  f  tr (Alice,  mr,  r").  Informally,  ip2  means  that 
it  should  have  been  infeasible  to  respond  to  Alice  at  times  3  and  7  (which  are  the  only  two  observed 
time  points  on  £  before  the  response  at  time  11),  and  also  at  any  other  time  points  between  3  and 
11  that  may  show  up  in  extensions  of  £ . 

Putting  back  the  various  formulae,  we  have  reduce(£',  p{)  =  (ip\  V  </?})  A  tp'0,  where  ip[  = 
contains(M,  Alice,  mr,  11)  A  ip2  means  that  the  message  M  sent  to  Alice  at  time  11  contain  her 
mr  and  that  it  be  infeasible  to  respond  earlier  (ip2 f),  tp\  allows  for  the  possibility  to  satisfy  Alice’s 
request  through  another  response  before  time  33,  and  ip'0  enforces  the  top-level  policy  on  any  other 
requests.  This  is  exactly  what  we  might  expect  from  an  informal  analysis.  Further,  note  that  the 
reduction  exposes  the  ground  subjective  atoms  contains(M,  Alice,  mr,  11),  ftr(Alice,  mr,  3)  and 
ftr(Alice,  mr,  7)  for  a  human  auditor  to  inspect  and  discharge. 

4.2  Correctness  and  Minimality  of  Enforcement 

The  function  reduce  is  correct  in  the  sense  that  its  input  and  output  formulas  contain  the  same 
obligations.  Formally,  if  reduce(£,</>)  =  ip,  then  in  all  extensions  of  C,  (p  is  true  iff  ip  is  true  and  ip 
is  false  iff  ip  is  false. 

Theorem  4.2  (Correctness  of  reduce).  If  reduce(£,  <p)  =  ip  and  £  >  C,  then  (1)  £  \=  p  iff  £  |=  ip 
and  (2)  £  |=  Tp  iff  £  |=  ip. 

Proof.  See  Appendix  B,  Theorem  B.5.  □ 

The  proof  of  this  theorem  relies  on  correctness  of  sat,  which  we  prove  in  the  next  subsection 
(Theorem  4.5).  Correctness  of  iterative  enforcement  is  an  immediate  corollary  of  Theorem  4.2.  We 

can  prove  by  induction  on  n  that  if  p>o  (pi . . .  tpn,  then  for  all  extensions  £  >  Cn,  £  |=  ipn 
iff  £  |=  tpQ  and  £  |=  Tp n  iff  £  \=  Tpd- 

Next,  we  wish  to  prove  that  if  reduce(£,  p)  =  ip  then  ip  is  minimal  with  respect  to  <p  and  C,  i.e., 
an  atom  occurs  in  ip  only  if  it  occurs  in  tp  and  its  interpretation  in  C  is  unknown.  Unfortunately, 
owing  to  quantification,  there  is  no  standard  definition  of  the  set  of  atoms  of  a  formula  of  first-order 
logic.  In  the  following,  we  provide  one  natural  definition  of  the  atoms  of  a  formula  and  characterize 
minimality  with  respect  to  it;  other  similar  characterizations  are  possible.  If  h  (p,  we  define  the  set 
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of  atoms  of  a  formula  p  with  respect  to  a  structure  C  as  follows. 


atoms  (£,  Pg) 
atoms  (£,  Pq) 
atoms(£,  T) 
atoms(£,  _L) 
atoms(£,  p\  A  P2) 
atoms(£,  pi  V  P2) 
atoms(£,  Vx.(c  D  y?)) 
atoms(£,  3x.(c  A  <^)) 


{^5} 

{Po} 

{} 

{} 

atoms(£,  pi)  U  atoms(£,  P2) 
atoms(£,  </?i)  U  atoms(£,  P2) 
UCTeSS(A,c)  atoms(£,<^) 

lUsSt(£,c)  atoms(A  <P°) 


The  following  theorem  characterizes  minimality  of  reduce  with  respect  to  the  above  definition 
of  atoms  in  a  formula. 


Theorem  4.3  (Minimality).  Suppose  b  p  and  reduce(£,  p)  =  if.  Then  atoms(£,  if)  C  atoms(£,  p)C\ 
{P  I  Pc{P)  =  uu}. 

Proof.  See  Appendix  B,  Theorem  B.12.  fjjjl 

Example  4.4.  Revisiting  Example  4.1,  we  check  that  the  output  produced  by  the  second  reduction 
satisfies  Theorem  4.3.  Recall  that  the  second  reduction  is  reduce(C ,  pi)  =  V  p\ )  A  p'0.  p\ 
and  p'q  each  have  top-level  quantifiers  whose  guards  have  no  satisfying  instances  in  so,  by 
definition  of  atoms,  p\  and  p'0  have  no  atoms  w.r.t.  £ .  Thus  we  turn  to  .  It  is  easy  to 
check  that  atoms(£/,^^)  is  the  three  element  set  {contains(M,  Alice,  mr,  11),  ftr(Alice,  mr,  3), 
ftr(Alice,  mr,  7)}.  Further,  from  the  analysis  of  Example  4.1,  each  of  these  three  atoms  also  exist 
in  atoms(£/,  pi).  Finally,  each  of  the  three  atoms  is  subjective,  so  each  has  a  valuation  uu  in  C. 


4.3  Quantifier  Instantiation  and  Mode  Analysis 

Having  described  our  main  enforcement  function  reduce,  we  turn  to  the  mode  analysis  relation 
b  p  and  the  function  sat  on  which  the  definition  of  reduce  relies.  The  rest  of  this  paper  can  be 
understood  without  understanding  this  section,  so  the  disinclined  reader  may  choose  to  skip  it. 


Input  and  Output  The  objective  of  our  mode  analysis,  as  mentioned  earlier,  is  to  ensure  that  the 
set  of  satisfying  instances  of  quantified  variables  x  in  a  restriction  c  be  both  finite  and  computable. 
Our  method  of  mode  analysis  is  inspired  by,  and  based  on  a  similar  technique  in  logic  programming 
(see,  e.g.  [4]).  The  key  observation  in  mode  analysis  is  that,  for  many  predicates,  the  set  of  all 
satisfying  instances  on  any  given  structure  can  be  computed  finitely  if  arguments  in  certain  positions 
are  ground.  The  reason  why  instances  can  be  computed  may  vary  from  predicate  to  predicate;  we 
illustrate  some  such  computations  from  prior  examples. 

1.  Given  a  ground  m,  the  set  of  q,t  such  that  tagged (m,q,t,r)  holds  is  finite  and  can  be 
computed  from  m  itself,  as  we  assumed  in  Example  2.1.  (Note  that  the  last  argument  r  is 
an  artifact  of  our  translation  and  is  irrelevant  here.) 

2.  For  an  action  predicate  like  send{pi,p2,m,r),  we  can  compute  all  instances  of  p\,  P2,  m,  r 
for  which  send(pi,p2j  Tn,  r)  holds  simply  by  querying  the  given  system  log. 
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3.  Given  ground  73,  73,  we  can  compute  all  ri  such  that  in(ri,  T2,  r3)  by  looking  at  the  states  in 
the  given  system  log  and  selecting  the  subset  that  he  in  the  interval  [72,73]. 

4.  Given  ground  r  and  r,  we  can  compute  all  principals  p  such  that  inrole (p,  r,  r)  by  looking 
at  the  roles’  database. 

Note  that  in  each  of  the  cases  1-4,  we  require  that  certain  argument  positions  be  ground  (e.g., 
m  in  1  and  72,73  in  3),  and  compute  others  (e.g.,  q,t  in  1  and  71  in  3).  We  call  these  the  input 
and  output  argument  positions,  respectively.  Formally,  we  represent  input  and  output  positions 
by  two  partial  functions  I  and  O  (input  and  output)  from  predicates  to  2N,  which  we  assume  are 
given  to  us.  The  functions  are  partial  because  satisfying  instances  of  certain  predicates,  including 
all  subjective  predicates,  are  not  computable.  Following  the  earlier  example,  we  could  choose: 

1-  /(tagged)  =  {1},  O(tagged)  =  {2,3} 

2.  /(send)  =  {},  O(send)  =  {1,2,3, 4} 

3.  /(in)  =  {2,3},  O(in)  =  {1} 

4.  /(inrole)  =  {2,3},  O(inrole)  =  {1} 

For  a  subjective  predicate  ps,  I(ps )  and  0(ps )  are  undefined.  The  sets  I(p)  and  0(p)  are 
called  a  rnoding  of  predicate  p.  If  i  £  I(p)  (i  £  ()(p)),  we  say  that  the  ith  argument  of  p  is  in  input 
(output)  mode.  Certain  arguments  may  be  in  neither  input  nor  output  mode,  e.g.,  argument  4  of 
the  predicate  tagged.  Also,  the  same  predicate  may  be  rnoded  in  multiple  ways.  For  example,  both 
the  assignments  (/(send)  =  {},  O(send)  =  {1,2,  3, 4})  and  (/(send)  =  {1},  O(send)  =  {2,3,4}) 
are  correct.  However,  it  suffices  to  assume  that  each  predicate  has  a  unique  rnoding,  because  we 
can  use  different  names  for  predicates  with  the  same  interpretation  but  different  modings. 

Substitution  Computation  A  substitution  a  is  a  finite  map  from  variables  to  ground  terms. 
Say  that  a  substitution  o'  extends  a  substitution  0,  written  o'  >  o,  if  dom((7/)  D  dom(cr)  and  for  all 
x  £  dom(cj),  o(x)  =  o'(x).  We  abstract  the  computation  of  terms  in  output  positions  from  terms  in 
input  positions  as  a  partial  computable  function  sat.  The  input  of  the  function  is  a  pair  containing 
a  structure  and  an  atom;  its  output  is  a  finite  set  of  substitutions.  The  function  sat  satisfies  the 
following  condition: 

Given  a  structure  C  and  an  atom  p(t\, . . . ,  tn)  such  that  for  all  i  £  / (p) ,  t{  is  ground, 
sat(£,p(fi, . . .  ,tn))  is  the  set  of  all  substitutions  for  variables  in  Ujgo(p)  that  have 
extensions  cr  such  that  C  |=  p(ti, . . . ,  tn)o. 

For  example,  if  in  structure  £,  principal  Charlie  has  doctors  Alice  and  Bob  at  time  r,  then 
sat(£,  inrole(p,  doc(Charlie),  r))  would  be  the  two  element  set  {p  1— >  Alice, p  1— >  Bob}.  If  the 
input  arguments  in  atom  P  are  not  ground,  then  sat(£,P)  may  be  undefined.  For  example,  if 
either  72  or  73  is  not  ground,  then  sat(£,  in(ri,  72, 73))  is  undefined.  Because  subjective  predicates 
are  not  computable,  sat (C,Pg)  is  also  undefined  for  every  subjective  atom  Pp-  In  practice,  the 
function  sat (£,  P)  could  be  implemented  through  queries  to  the  database  that  stores  the  audit  log. 

We  lift  the  function  sat  to  the  function  sat  that  computes  satisfying  instances  of  restrictions. 
The  specification  of  the  lifted  function  sat(£,c)  is  similar  to  that  of  sat:  Given  a  partially  ground 
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restriction  c,  sat(£,  c)  is  a  finite  set  of  substitutions  characterizing  all  satisfying  instances  of  c. 


sat  (£,p0  (h, ...  ,tn))  = 

sat(£,T)  = 

sat(£,_L)  = 

sat(£,  ci  A  C2)  = 

sat(£,  ci  V  C2)  = 

sat(£,  3x.c)  = 


sat(£,po(fi, . .  .,tn)) 

{•} 

{}  _ 

UreSTt^.c)  sat(A  C2^) 

sat(£,  ci)  U  sat(£,  C2) 
sat(£,  c)\{x}  (x  fresh) 


For  atoms,  the  definition  of  sat  coincides  with  that  of  sat.  Since  T  must  always  be  true, 
sat(£,T)  contains  only  the  empty  substitution  (denoted  •).  Since  _L  can  never  be  satisfied, 
sat(£,_L)  is  empty.  For  ci  A  C2,  the  set  of  satisfying  instances  is  obtained  by  taking  those  of 
ci  (denoted  a  above),  and  conjoining  those  with  satisfying  instances  of  C2<r  (the  operation  +  is 
composition  of  substitutions  with  disjoint  domains).  The  set  of  satisfying  instances  of  ci  V  C2  is  the 
union  of  the  satisfying  instances  of  ci  and  C2.  Satisfying  instances  of  3x.c  are  obtained  by  taking 
those  of  c,  and  removing  the  substitutions  for  x. 

sat  is  a  partial  function  because  the  underlying  function  sat  is  partial.  For  instance,  taking 
an  example  from  Section  2,  sat(£,  send(pi,p2>  m,  t)  A  tagged  {m!  ,q,t,T'))  is  undefined  if  ml  is  a 
variable  because  any  substitution  a  in  the  output  of  the  recursive  call  sat(£,  send(pi,p2,  m,  r)) 
will  not  contain  m!  in  its  domain  and,  therefore,  in  the  call  to  sat(£,  tagged (m1  ,q,t,r')a),  the 
first  argument  to  tagged  will  be  non-ground.  Since  I(tagged)  =  {1},  this  recursive  call  may  fail 
to  return  an  answer.  On  the  other  hand,  sat(£,  send(pi,p2;  m,  r)  A  tagged (m,  q,t,r'))  is  defined 
because  the  first  argument  of  tagged  in  the  second  recursive  call  is  m,  which  is  grounded  by  the 
substitution  cr  of  the  first  recursive  call.  Despite  being  partial,  sat(£,  c)  represents  all  satisfying 
instances  of  c,  whenever  it  is  defined,  as  formalized  by  the  following  theorem. 

Theorem  4.5  (Correctness  of  sat).  If  sat(£,c)  is  defined  then  for  any  substitution  a1  with 
dom(er7)  D  fv(c),  £  |=  ca'  iff  there  is  a  substitution  cr  E  sat(£,c)  such  that  a'  >  a. 

Proof.  See  Appendix  B,  Theorem  B.3.  □ 

Example  4.6.  In  Example  4.1,  we  informally  evaluated  sat  at  several  places.  Here,  we  justify 
the  first  two  evaluations.  In  the  first  instance,  we  said  that  sat(£,  in(r,  0,  00)  A  req(p,  f,r))  = 
{(r,  p,  t)  1 — y  (3,  Alice,  mr)}.  This  follows  from  the  observation  that  from  the  information  in  the 
structure  £,  we  must  have  sat(£,  in(r,  0,  00))  =  {r  4  l,r  4  3,r  4  7),  sat(£,  req(p,  t,  3))  = 
{( p,t )  i-4  (Alice,  mr)}  and  sat(£,  req(p,  t,  r))  =  {}  for  r  f  3.  The  result  of  applying  sat  follows 
from  its  definition. 

Similarly,  we  calculated  that  sat(£7,  in(T7,  3,  33)  A  inrole((7,  records,  t')  A  send(g,  Alice,  m,  t')) 
=  {(r7,  q,  m)  1-4  (11,  Bob,  M)}.  This  follows  because,  from  the  description  of  £',  sat(£7,  in(T7,  3,  33)) 
=  {t7  1-4  3,  r7  1-4  7,  t7  1-4  11},  sat(£7,  inrole(gr,  records,  T))  =  {q  i-4  Bob}  for  T  =  11  and  {}  other¬ 
wise,  and  sat(£7,  send(g,p,  m,  r7))  =  {(g,p,  m,r7)  1-4  (Bob,  Alice,  M,  11)}. 


Mode  Analysis  Next,  we  define  a  static  check  of  restrictions  to  rule  out  those  on  which  sat 
is  not  defined,  e.g.,  send(pi,p2>  m,  r)  A  tagged(m7,  q,  t,  r7)  described  earlier.  This  static  check  is 
what  we  call  the  mode  analysis.  A  restriction  that  passes  the  check  is  called  well-moded.  Formally, 
we  define  well-modedness  as  a  relation  xi  be:  XO-,  where  xi  and  Xo  are  sets  of  variables.  If  the 
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Xi  ^  c:Xo 


Vk  €  I(po)-  C  x/  XO  =  XJ  U  (  |J  fv(t,-)) 

_ jeO(po) _  _  _ 

XI  I-  PoOl,  •  •  • ,  tn)  ■  XO  X/  F  T  :  XI  XI  1“  -L  :  X7 


X/  F  ci  :  X  X  I"  C2  :  XO 
Xi  h  ci  A  c2  :  xo 


XJ  F  ci  :  Xi  XI  F  ^2  :  X2 
X/  I-  ci  V  c2  :  Xi  n  X2 


XI  F  c  :  xo 
X/  I-  3x.c  :  xo\{k} 


X  F  <P 


Vfc.  fy(4)  g  X 

X  I-  p{ti, . .  .,tk) 


xFT 
X  1“  c  :  xo 


_  x  i~  yi  x  i~  y>2  x  F  yi  x  F  y?2 

X  F  _L  X  I-  ¥>i  A  <^2  X  ^1  V  ^2 

^  c  xo  f v(c)  CxUa  XO  F  <P 
X  I-  Vx.(c  D  ip) 


X  ^  c  :  xo  xgXQ  fv(c)CxUx  Xo  F  P 
X  I-  3®.  (c  A  p) 

(In  the  rules  for  quantifiers,  bound  variables  x  or  x  must  be  renamed  so  that  they  are  fresh.) 

Figure  3:  Moding  Rules 


relation  holds,  then  for  any  a  with  dom(cr)  D  xi  and  any  C,  sat(£,  ca)  is  defined  and,  further,  any 
substitution  in  it  contains  all  of  Xo\xi  in  its  domain,  (xi  and  XO  are  analogues  of  inputs  and 
outputs  for  restrictions.) 

The  relation  x/  F  c  :  xo  is  defined  by  the  rules  of  Figure  3,  which  also  constitute  a  linear-time 
decision  procedure  for  deciding  the  relation  (with  inputs  c  and  xi  anci  output  xo)-  We  explain 
some  of  the  rules.  An  atom  p(t\, . . .  ,tk)  is  well-moded  if  the  free  variables  (abbreviated  fv)  of 
input  positions  are  ground  (premise  Vfc  E  I(po )■  fv(ifc)  C  xi  of  the  first  rule)  and  the  output  xo 
equals  XJ  (which  is  already  ground)  unioned  with  U jeO(Po)  (a^  which  must  be  in  the 

domain  of  sat(£,p(ti, . . .  ,tn))).  The  rule  for  conjunctions  ci  A  c2  chains  the  outputs  x  of  ci  into 
the  inputs  of  c2.  The  following  theorem  establishes  that  sat  is  total  on  well-moded  restrictions  and 
also  establishes  the  relation  between  xii  XO  and  the  substitutions  in  the  output  of  sat. 

Theorem  4.7  (Totality  of  sat).  If  xi  F  c  :  xco  then  for  all  structures  L  and  all  substitutions 
a  with  dom(cj)  I)  xj>  sat(£,ccr)  is  defined  and,  further,  for  each  substitution  a'  E  sat (£,ca), 
Xi  U  dom(cr')  D  xo- 

Proof.  See  Appendix  B,  Theorem  B.6.  □ 

We  extend  the  mode-check  on  restrictions  to  formulas  ip  of  the  sublogic.  The  objective  of  this 
mode-check  is  two-fold.  First,  the  check  ensures  that  all  restrictions  occurring  in  ip  are  well-moded 
in  the  sense  described  above.  Second,  for  quantifiers  Vx.(c  D  ip')  and  3x.(c  A  ip'),  the  check  ensures 
that  the  quantified  variables  x  are  contained  in  the  outputs  (xo)  of  the  restriction  c.  (Hence,  by 
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Theorems  4.5  and  4.7,  any  substitution  in  sat(£,  c)  grounds  x,  which  is  central  to  the  termination 
of  reduce.)  The  mode-check  is  formalized  as  the  relation  x  1“  7b  meaning  that  for  any  substitution 
a  with  dom(cr)  D  Xi  the  formula  ipcr  is  well-moded.  Its  straightforward  rules  are  shown  in  Figure  3. 
The  rules  constitute  a  linear-time  decision  procedure  for  checking  the  relation  (with  inputs  x  and 
<p).  In  the  rules  for  V.x.(c  D  ip')  and  3x.(c  A  <p'),  the  first  premises  check  that  c  is  well-moded.  The 
second  premises  ensure  that  the  variables  x  are  contained  in  the  output  x.O  of  the  mode  check  on  c. 
The  third  premises  ensure  that  c  is  closed.  It  can  easily  be  checked  that  if  x  h  7b  then  fv(ip)  C  y. 

We  call  a  formula  (p  well-moded  if  {}  b  tp,  which  we  abbreviate  to  b  ip.  The  following  theorem 
shows  that  on  well-moded  formulas,  the  function  reduce  is  total.  Further  on  a  well-moded  input, 
the  output  is  also  well-moded  (so  the  output  can  used  as  input  in  a  subsequent  iteration). 

Theorem  4.8  (Totality  of  reduce).  If\~ip  then  there  is  a  if  such  that  reduce(£,  ip)  =  if  and  b  if. 

Proof.  See  Appendix  B,  Theorem  B.10.  □ 

Example  4.9.  It  can  easily  be  checked  that  the  formulas  G  apou  and  G  apoi2  defined  in  Example  2.3 
are  all  well-moded  (e.g.,  b  G  apou)  using  the  definitions  of  I  and  O  presented  at  the  beginning  of 
this  subsection. 

5  Specific  Instances  of  Enforcement 

We  analyze  the  behavior  of  our  enforcement  algorithm  on  two  restricted  classes  of  structures.  First, 
we  consider  objectively- complete  structures  -  those  that  map  every  objective  atom  to  either  tt  or  f  f 
(Section  5.1).  We  show  that  for  such  structures  £,  the  output  of  reduce(£,y?)  can  be  simplified  to 
conjunctions  and  disjunctions  of  ground  subjective  atoms  through  trivial  rewriting  (e.g.,  replacing 
T  A  if  with  if),  thus  making  it  more  amenable  to  human  inspection.  We  also  obtain  a  decision 
procedure  to  decide  the  truth  and  falsity  of  input  formulas  without  subjective  predicates. 

Second,  we  consider  past-complete  structures,  those  that  have  complete  information  up  to  a 
specific  point  of  time  (Section  5.2).  This  corresponds  to  the  standard  assumption  in  every  existing 
work  on  enforcement  of  temporal  properties  that  the  audit  log  contains  all  past  information.  In 
particular,  we  show  that  on  past-complete  traces,  our  algorithm  yields  a  method  to  find  violations 
of  safety  properties  [2]  and  satisfactions  of  co-safety  properties  [11]  at  the  earliest. 

5.1  Execution  on  Objectively-Complete  Structures 

We  analyze  the  output  of  reduce(£,  ip)  when  £  is  objectively-complete.  Although  objective¬ 
completeness  requires  that  truth  and  falsity  of  objective  atoms  be  determined  even  in  the  future,  it 
may  model  some  realistic  settings.  For  instance,  after  audit-relevant  information  has  been  gathered 
from  all  possible  sources,  it  may  be  assumed  that  any  fact  not  explicitly  seen  is,  by  default,  false. 
The  resulting  structure  would  be  objectively-complete.  Objectively-complete  structures  correspond 
to  the  case  of  subjective  incompleteness  from  Section  3. 

Definition  5.1.  A  structure  £  is  called  objectively-complete  if  for  all  objective  atoms  Po,  Pc(Po)  e 

If  a  structure  £  is  objectively-complete,  then  during  the  execution  of  reduce(£,  ip),  all  relevant 
substitutions  can  be  found  for  quantifiers  and  all  objective  atoms  can  be  replaced  with  either  T 
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or  _L.  Indeed,  we  show  in  this  subsection  that  if  £  is  objectively-complete,  then  the  output,  ip,  of 
reduce(£,  ip)  can  be  rewritten  (using  straightforward  rewrite  rules)  to  a  logically  equivalent  formula 
that  is  either  T  or  _L  or  contains  only  subjective  atoms,  conjunctions  and  disjunctions.  This  has 
practical  importance  because,  as  compared  to  a  formula  with  quantifiers,  a  formula  containing  only 
subjective  atoms,  conjunctions  and  disjunctions  is  more  amenable  to  human  inspection  and  audit. 

There  are  two  kinds  of  rewriting  we  need  to  perform  on  the  output  ip  to  reduce  it  to  our 
desired  form.  First,  we  need  to  eliminate  unnecessary  occurrences  of  T  and  _L  that  arise  either 
from  occurrences  of  T  and  _L  in  the  input  formula,  or  as  replacements  of  atoms  that  evaluate  to 
tt  and  ff  respectively.  Such  occurrences  can  be  eliminated  by  repeatedly  applying  the  following 
eight  rewriting  rules  anywhere  in  the  output: 


j)VT->T 


T  A  ip  — >  ip 
1  A  ip  — >  T 
TV))->T 


For  example,  if  ip  =  Po  A  Pg  for  an  objective  atom  Pq  and  a  subjective  atom  Pg  and  pc(Po )  = 
tt,  then  reduce(£,  ip)  =  T  A  Pg.  This  can  be  simplified  to  Ps  using  the  second  rule  above.  Note 
that  each  rule  above  preserves  logical  equivalence  of  formulas. 

Second,  we  need  to  eliminate  those  quantified  subformulas  in  the  output  that  are  called  ip'  in  the 
definition  of  reduce  (Figure  2).  These  have  the  forms  VT.((c  A  x  0  S)  D  ip)  and  3x.((c  A  x  jP  5)  A  ip). 
Because  S  contains  all  instances  of  x  that  satisfy  c,  (c  A  x  0  S)  has  no  satisfying  instances  in  £, 
i.e. ,  sat(£,  (c  A  x  0  S))  =  {}.  Further,  because  £  is  objectively-complete,  any  extension  CJ  of  C 
must  agree  with  £  on  valuation  of  objective  atoms,  so,  by  Theorem  4.5,  sat(£7,  (c  A  x  0  S))  = 
{}.  Consequently,  V.x.((c  A  x  jP  S)  D  ip)  is  logically  equivalent  to  T  in  all  extensions  of  £  and 
3a;.  ((c  V  x  0  S)  D  ip)  is  logically  equivalent  to  _L  in  all  extensions  of  £.  This  immediately  yields 
the  following  two  rules  for  elimination  of  quantifiers  from  the  output  of  reduce. 


Vx.(c  D  ip)  — >  T 


3x.(c  A  ip)  — >  _L 


We  point  out  that,  unlike  the  eight  rewriting  rules  presented  earlier,  the  two  rewriting  rules  above 
do  not  preserve  logical  equivalence  in  general,  but  they  preserve  logical  equivalence  when  applied 
to  the  output  ip  =  reduce(£,  <£>)  for  objectively-complete  £. 

Let  — >*  denote  the  reflexive-transitive  closure  of  — >.  Since  — >  makes  formulas  strictly  smaller, 
it  cannot  be  applied  indefinitely  to  any  formula.  Further,  even  though  a  formula  may  be  rewritten 
in  many  ways  using  a  single  application  of  — >,  the  formula  obtained  by  applying  — >  exhaustively 
starting  from  a  fixed  initial  formula  is  unique  because  — >■  is  confluent. 

Theorem  5.2.  Suppose  £  is  objectively-complete,  h  ip  and  ip  =  reduce(£,  ip).  Then  ?/>  — >*  ,  where 

(1)  '(//  is  either  T,  or  _L,  or  contains  only  subjective  atoms  and  the  connectives  A,  V,  and  (2)  For 
all  CJ  >  £,  C!  |=  ■0  iff  CJ  |=  and  CJ  (=  ip  iff  CJ  |=  ip' . 

Proof.  See  Appendix  C,  Theorem  C.4.  □ 

An  interesting  special  case  arises  on  inputs  ip  without  any  subjective  predicates.  In  this  case, 
it  can  be  proved  by  induction  on  ip  that  if  £  is  objectively-complete,  then  either  £  |=  ip  or  £  |=  Tp 
(either  ip  is  true  in  £  or  it  is  false).  Interestingly,  for  such  inputs,  Theorem  5.2  yields  a  decision 
procedure  for  determining  the  truth  or  falsity  of  ip  in  £.  The  proof  of  this  fact  is  straightforward. 
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By  minimality  of  reduce  (Theorem  4.3),  the  output  ip  of  reduce(£,  p)  cannot  contain  any  subjective 
atoms  if  p  does  not  contain  them,  so  neither  can  the  formula  ip'  obtained  by  rewriting  in  The¬ 
orem  5.2.  Hence,  i p'  must  be  either  T  or  _L.  If  ip'  =  T,  then  by  Theorem  4.2,  £  \=  p,  and  if 
ip'  =  _L,  then  by  the  same  theorem,  £  |=  p.  This  is  a  decision  procedure  because  both  reduce  and 
— )•*  terminate. 

5.2  Execution  on  Past-Complete  Structures 

Next,  we  analyze  our  enforcement  algorithm  on  structures  that  have  complete  information  up  to 
a  specific  point  of  time,  say  to-  We  call  such  structures  To-past-complete  or,  briefly,  ro-complete. 
Past-completeness  corresponds  to  future  incompleteness  from  Section  3  and  is  practically  relevant 
because  in  many  cases,  audit  logs  record  all  relevant  events  as  they  happen  and  the  entire  history 
is  available  to  an  enforcement  algorithm.  In  fact,  this  is  a  standard  assumption  in  all  existing 
literature  on  either  runtime  or  post-hoc  enforcement  of  temporal  properties.  The  classic  result  in 
this  context  is  that,  under  this  assumption,  a  runtime  monitor  can  detect  both  violation  of  so-called 
safety  properties  (a  given  bad  event  never  happens)  and  satisfaction  of  so-called  co-safety  properties 
(a  given  good  event  happens  at  some  time  either  in  the  past  or  in  the  future)  at  the  earliest  possible 
time.  In  the  rest  of  this  subsection,  we  show  that  on  past-complete  structures  similar  results  hold 
for  our  enforcement  method. 

We  start  by  formally  defining  past-complete  structures,  then  adapt  a  standard  characterization 
of  safety  and  co-safety  properties  in  temporal  logic  to  our  setting,  and  finally  prove  that  the  function 
reduce,  together  with  rewriting  — »,  yields  a  method  to  enforce  both  safety  and  co-safety  properties. 
It  is  important  to  mention  here  that  violation  or  satisfaction  of  a  property  cannot  be  defined 
formally  if  the  property  has  subjective  predicates.  Consequently,  we  assume  in  this  subsection,  like 
existing  literature  on  the  subject,  that  policies  do  not  contain  subjective  predicates. 

Definition  5.3.  Given  a  ground  time  to,  a  structure  £  is  called  To-past-complete  or  ro-complete 
if  the  following  two  conditions  hold: 

1.  For  all  predicates  p.  all  ground  t\, ...  ,tn  and  all  r  <  To,  pc(p(t. i, . . .  ,tn,r))  6  {tt,ff}. 

2.  For  all  ground  Ti,T2,T3  such  that  ti  <  To,  p/;(in(Ti, T2, T3))  G  {tt,ff}. 

The  first  condition  means  that  the  truth  or  falsity  of  every  atom  in  the  temporal  logic  can  be 
determined  at  time  r  if  r  <  to-  The  second  condition  states  that  £  records  all  relevant  states  up 
to  time  to- 

Safety  and  Co-safety  Informally,  a  safety  property  states  that  a  specified  bad  condition  is  never 
satisfied.  Dually,  a  co-safety  property  states  that  a  specified  good  condition  is  satisfied  at  some  time 
(either  in  the  past  or  in  the  future).  Although  the  two  kinds  of  properties  are  often  characterized 
in  terms  of  traces  (semantically)  [2,  11],  characterizations  of  the  two  kinds  of  properties  as  classes 
of  formulas  in  logic  are  more  relevant  for  us.  It  is  known  [23]  that  safety  properties  correspond  to 
formulas  of  the  form  G  ap,  where  G  is  the  “in  every  state”  operator  introduced  in  Example  2.3 
and  Op  is  an  arbitrary  formula  of  the  temporal  logic  not  containing  any  future  operators  (□  and 
U)-  In  words,  G  ap  means  that  in  every  state  (the  bad  condition)  -1  ap  does  not  hold.  As  an 
illustration,  the  policy  Gapo;i  in  Example  2.3  is  a  safety  property,  but  Ga^  is  not  because  it 
contains  a  future  operator.  Dually,  co-safety  properties  can  be  characterized  as  formulas  of  the  form 
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F  atp  =  3r.(in(r,  0,  oo)  A  ( ap)T ),  informally  meaning  that  in  some  state  r,  (the  good  condition)  ap 
holds.1 

We  say  that  a  safety  property  G  ap  is  violated  at  time  r  in  a  structure  £  if  £  |=  ( ap)T .  In  other 
words,  G  ap  is  violated  at  time  t  if  at  that  time,  the  negation  of  ap  holds  in  £.  Similarly,  we  say 
that  a  co-safety  property  F  ap  is  satisfied  at  time  r  in  a  structure  £  if  £  |=  (ap)r. 

Our  first  result  (Theorem  5.4)  is  that  if  a  safety  property  G  ap  is  violated  at  time  r  in  a 
structure  £  that  is  To-complete  (r  <  to),  then  reduce(£,  G  ap)  — >*  _L  (and  conversely).  This  result 
is  important  because  it  implies  that  violations  of  safety  properties  can  be  detected  in  the  next 
iteration  of  enforcement  after  they  occur  if  audit  logs  contain  all  past  information.  An  analogous 
result  -  Theorem  5.5  -  holds  for  co-safety  properties,  wherein  satisfaction  can  be  detected  at  the 
earliest.  The  justification  for  both  theorems  is  similar  to  that  for  Theorem  5.2,  but  more  involved. 
Because  both  reduce  and  — >*  terminate,  the  theorems  also  provide  decision  procedures  for  enforcing 
safety  and  co-safety  properties  on  past-complete  structures. 

Theorem  5.4  (Enforcement  of  safety  properties).  Suppose  G  ap  is  a  safety  property,  h  Gap,  £  is 
To-complete,  and  for  all  r,  (/9£(in(r,  0,  oo))  =  tt)  =4-  r  <  tq-  Then,  reduce(£,  G  ap)  — >*  T  iff  there 
is  a  t  such  that  £  |=  in(r,  0,  to)  and  £  |=  (ap)r. 

Proof.  See  Appendix  C,  Theorem  C.12.  □ 

Theorem  5.5  (Enforcement  of  co-safety  properties).  Suppose  F  ap  is  a  co-safety  property,  b  F  ap, 
£  is  To-complete,  and  for  all  t,  (p£(in(r,  0,  oo))  =  tt)  r  <  to-  Then,  reduce(£,F  ap)  — >*  T  if 
and  only  if  there  is  a  r  such  that  £  |=  in(r,  0,  To)  and  £  |=  (ap)T . 

Proof.  See  Appendix  C,  Theorem  C.13.  O 

Example  5.6.  We  check  Theorem  5.4  on  the  safety  property  G  apon  from  Example  2.3.  The  policy 
states  that  if  a  message  m  is  sent  by  p\  to  p2  for  purpose  u  and  the  message  is  tagged  as  containing 
q’s  data  about  attribute  t  (which  is  a  form  of  phi),  then  either  the  recipient  p2  is  q’s  doctor  and 
the  purpose  u  is  treatment,  or  q  has  previously  consented  to  this  message  transmission. 

We  consider  a  simple  structure  £  in  which  this  policy  is  violated.  £  has  only  one  time  point 
7,  at  which  principal  A  sends  principal  B  a  message  M.  The  message  M  is  labeled  with  purpose 
test  (purp_in(iesf ,  treatment)  holds)  and  tagged  as  containing  principal  C’s  information  about 
attribute  meds  (medications),  which  is  a  form  of  phi.  Further,  B,  the  recipient,  is  not  C’s  doctor. 
Suppose  that  we  audit  at  a  later  point  of  time  (10)  and  that  £  described  above  is  10-complete. 
Since  there  is  no  other  information  in  £  besides  what  has  been  mentioned,  C  has  not  consented 
explicitly  to  this  message  transmission,  so  the  policy  has  been  violated  at  time  7.  We  seek  to  verify 
that  reduce(£,  G  apon)  — >*  _L. 

We  start  by  computing  reduce(£,  G  apou).  The  reader  is  advised  to  revisit  the  definition  of 
G  apon  in  Example  2.3.  At  the  top-level,  G  apon  contains  a  universal  quantifier  with  restriction  c  = 
(in(r,0,oo)  A  send(pi,p2>  tu,  t)  A  purp(m,u,r)  A  tagged (m,q,t,T)  A  attr_in(£  phi,  r)).  Com¬ 
puting  sat (£,  c)  yields  {{r,p\,p2,  m,  u,  q,  t)  e->-  (7,  A,  B,  M,  test,  C,  meds)}.  Hence,  reduce(£,  G  apon) 
=  reduce(£,  ip\)  A  <p'0,  where  ip \  is  shown  below  and  <p'0  is  almost  a  copy  of  the  original  policy,  with 
a  larger  restriction.  The  only  aspect  of  p'0  relevant  for  this  example  is  that  it  contains  a  top-level 
universal  quantifier. 

1We  have  not  seen  this  characterization  of  co-safety  properties  in  literature,  but  it  is  easily  derived  as  the  dual  of 
the  known  characterization  of  safety  properties. 
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p i  =  (inrole(B,  doc(C),  7)  A 

purp_in(iest,  treatment ,  7))  V 
(3t'.  (in(r/,  0,  7)  A 

consents(C,  sendaction(A,  B,  (C,  meds)),T'))) 

Next,  we  calculate  reduce(£,  p\).  Since  /j£(inrole(B,  doc(C),  7))  =  ff  and 

p,c(purp_in(test,  treatment,  7))  =  tt,  reduce(£,  <pi)  =  (1  A  T)  V  reduce(£,  P2),  where  P2  is  the 
second  disjunct  of  p\.  Finally,  we  compute  reduce(£,  P2).  The  top-level  connective  of  p2  is  an  ex¬ 
istential  quantifier  restricted  by  in(r',0,  7).  Since  sat(£,  in(r',  0,  7))  =  {V  eA  7},  reduce(£,  P2)  = 
reduce(£,  p^)  V  p'2,  where  p%  =  consents(C,  sendaction(A,  B,  (C,  meds)),  7)  and  p'2  begins  with 
an  existential  quantifier.  Clearly,  reduce(£,  ps)  =  T.  Putting  the  pieces  back  together,  we  get 
reduce(£,  G  apon)  =  ((_L  A  T)  V  (A  V  p'2) )  A  p'0. 

Since  <pg  and  p'2  begin  with  a  universal  and  an  existential  quantifier,  they  can  be  rewritten  to 
T  and  A  respectively.  So,  reduce(£,  G  apon)  — >  ((A  A  T)  V  (A  V  A))  A  T,  which  can  easily  be 
rewritten  to  A,  thus  indicating  a  violation.  If  we  change  the  example  to  avoid  a  violation,  say  by 
setting  p£(inrole(B,  doc(C),  7))  to  tt  instead  of  ff,  then  the  result  of  rewriting  changes  from  A 
to  T,  indicating  a  lack  of  violation  thus  far.  Finally,  if  we  do  not  assume  that  C  is  past-complete, 
then  the  rewriting  of  p2  to  A  is  unsound  because  there  may  be  an  extension  of  C  in  which  p'2  is  true 
and,  hence,  the  original  property  may  not  have  been  violated,  but  our  procedure  would  conclude 
that  it  is.  So,  past-completeness  is  a  necessary  assumption  in  Theorem  5.4  (and  also  Theorem  5.5). 

6  Application  to  HIPAA 

We  comment  on  application  of  our  algorithm  to  transmission-relevant  clauses  of  the  HIPAA  Privacy 
Rule.  These  clauses  can  be  viewed  as  a  template  for  actual  privacy  policies,  which  may  be  obtained 
by  instantiating  abstract  roles  like  “covered  entity”  in  HIPAA  with  actual  roles  like  “doctor”, 
“nurse”,  etc.  In  prior  work  on  PrivacyLFP  [16],  we  have  shown  that  all  84  transmission-related 
clauses  in  HIPAA  can  be  represented  in  the  logic.  Since  we  have  restricted  the  syntax  of  quantifiers 
in  this  paper  to  facilitate  enforcement,  an  immediate  question  is  whether  we  can  still  represent  all 
the  clauses  of  HIPAA  in  our  logic.  A  careful  re-analysis  of  the  prior  work  reveals  that  81  of  the  84 
clauses  fall  in  the  fragment  considered  in  this  paper.  The  three  remaining  clauses,  namely  Sections 
164.506(c)(4),  164.512(k)(l)(i),  and  164.512(k)(l)(iv)  of  HIPAA,  contain  quantifiers  with  subjective 
restrictions.  However,  in  each  such  case,  the  formula  under  the  quantifier  contains  only  subjective 
predicates  and,  therefore,  the  entire  formula  may  be  considered  a  single  subjective  predicate.  With 
this  minor  change,  the  algorithm  of  Section  4  can  be  applied  to  all  84  clauses  of  HIPAA. 

The  next  question  is  the  usefulness  of  the  algorithm,  given  that  HIPAA  contains  many  subjective 
predicates  (in  fact,  578  out  of  a  total  of  881  atoms  in  our  formalization  of  HIPAA  are  subjective). 
The  answer  to  this  question  is  two-fold.  First,  irrespective  of  the  percentage  of  subjective  atoms, 
one  practical  advantage  of  using  our  algorithm  is  that  it  instantiates  quantifiers  automatically  using 
log  data,  which  could  otherwise  be  a  daunting  task  for  a  human  auditor. 

Second,  our  algorithm  automatically  discharges  objective  atoms  from  fully  instantiated  formu¬ 
las,  leaving  only  subjective  atoms  for  a  human  auditor.  As  discussed  in  the  prior  work,  with  a 
slight  amount  of  design  effort,  e.g.,  standardizing  message  formats,  402  of  the  subjective  atoms 
can  be  mechanized,  leaving  a  total  of  176  subjective  atoms,  and  improving  the  effectiveness  of 
the  algorithm  significantly.  A  reasonable  method  to  quantify  the  effectiveness  of  the  algorithm 
on  instantiated  formulas  is  to  calculate  the  ratio  of  the  number  of  objective  atoms  to  the  total 
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number  of  atoms  for  all  84  clauses.  (A  more  accurate  assessment  can  be  made  if  we  also  know  how 
frequently  each  clause  of  HIPAA  gets  instantiated,  but  this  is  impossible  without  real  data.)  In 
Appendix  D,  we  list  for  each  clause  the  numbers  of  subjective  and  objective  atoms  in  it  (#S  and 
#0  respectively),  as  well  as  the  number  of  subjective  atoms  that  can  be  mechanized  by  simple 
design  effort  such  as  standardizing  message  formats  (#0’).  The  ratio  (#0’  +  #0)  /  (#S  +  #0) 
shown  in  the  last  column  is  an  estimate  of  the  percentage  of  the  clause  our  algorithm  will  reduce 
automatically,  assuming  that  the  required  design  effort  has  been  made.  Based  on  these  figures,  we 
count  that  in  17  clauses,  all  atoms  can  be  reduced  automatically;  in  24  other  clauses,  at  least  80% 
of  the  atoms  can  be  reduced  automatically;  and  in  29  other  clauses,  at  least  50%  of  the  atoms  can 
be  reduced  automatically.  On  the  other  hand,  in  6  clauses  our  algorithm  cannot  reduce  any  atoms 
automatically  but  5  out  of  these  6  clauses  contain  exactly  one  subjective  atom  each. 

In  summary,  even  though  completely  automatic  enforcement  of  policies  derived  from  HIPAA  is 
impossible  due  its  use  of  subjective  predicates,  our  algorithm  can  help  reduce  the  burden  of  human 
auditors  significantly,  both  by  instantiating  quantifiers  automatically  and  by  discharging  objective 
atoms  in  fully  instantiated  formulas. 

7  Related  Work 

Policy  Enforcement  with  Temporal  Logic  A  lot  of  prior  work  addresses  the  problem  of 
runtime  monitoring  of  policies  expressed  in  Linear  Temporal  Logic  (LTL)  [5,  7,  10,  28,  30,  31] 
and  its  extensions  [7,  29,  30].  Although  similar  in  the  spirit  of  enforcing  policies,  the  intended 
deployment  of  our  work  is  different:  we  expect  our  algorithm  to  be  used  for  after-the-fact  audit  for 
violations,  rather  than  for  online  monitoring.  Consequently,  the  issue  of  retaining  only  necessary 
portions  of  logs,  which  is  central  to  runtime  monitoring,  is  largely  irrelevant  for  our  work  (and 
hence  not  considered  in  this  paper). 

Comparing  only  the  expressiveness  of  the  logic,  our  work  is  more  advanced  than  all  existing 
work  on  policy  enforcement.  First,  we  enforce  a  large  fragment  of  first-order  temporal  logic,  whereas 
prior  work  is  either  limited  to  propositional  logic  [5,  28,  31],  or,  when  quantifiers  are  considered, 
they  are  severely  restricted  [7,  29,  30].  A  recent  exception  to  such  syntactic  restrictions  is  the 
work  of  Basin  et  al.  [10],  to  which  we  compare  in  detail  below.  Second,  no  prior  work  considers 
either  subjective  predicates,  or  the  possibility  of  gaps  in  past  information,  both  of  which  our  partial 
structures  and  enforcement  algorithm  account  for. 

Recent  work  by  Basin  et  al.  [10]  considers  runtime  monitoring  over  an  expressive  fragment  of 
Metric  First-order  Temporal  Logic.  Similar  to  our  work,  Basin  et  al.  allow  quantification  over 
infinite  domains,  and  use  a  form  of  mode  analysis  (called  a  safe-range  analysis)  to  ensure  finiteness 
during  enforcement.  However,  Basin  et  al’s  mode  analysis  is  weaker  than  ours;  in  particular,  it 
cannot  relate  the  same  variable  in  the  input  and  output  positions  of  two  different  conjuncts  of 
a  restriction  and  requires  that  each  free  variable  appear  in  at  least  one  predicate  with  a  finite 
model.  As  a  consequence,  some  policies  such  as  apon  (Example  2.1),  whose  top-level  restriction 
(send(pi,p2>  fn)  A  purp(m,  u)  A  . . .)  contains  a  variable  u  not  occurring  in  any  predicate  with  a 
finite  model,  cannot  be  enforced  in  their  framework,  but  can  be  enforced  in  ours.  Due  to  their  goal 
of  runtime  enforcement,  Basin  et  al.  use  auxiliary  data  structures  to  cache  relevant  portions  of  the 
log  in  memory,  which  may  form  the  basis  of  useful  optimizations  in  an  implementation  of  our  work. 

Cederquist  et  al.  [14]  present  a  proof-based  system  for  a-posteriori  audit,  where  policy  obli¬ 
gations  are  discharged  by  constructing  formal  proofs.  The  leaves  of  proofs  are  established  from 


24 


logs,  but  the  audit  process  only  checks  that  an  obligation  has  been  satisfied  somewhere  in  the  past, 
thus  allowing  only  for  obligations  of  the  form  <3 >ip.  Further,  there  is  no  systematic  mechanism  to 
instantiate  quantifiers  in  proofs.  However,  using  connectives  of  linear  logic,  the  mechanism  admits 
policies  that  rely  on  consumable  permissions. 

The  idea  of  iteratively  rewriting  the  policy  over  evolving  audit  logs  has  been  considered  pre¬ 
viously  [28,  31],  but  only  for  propositional  logic.  Bauer  et  al.  [5]  use  a  different  approach  for 
iterative  enforcement:  they  convert  an  LTL  formula  with  limited  first-order  quantification  to  a 
Biichi  automaton  and  check  whether  the  automaton  accepts  the  input  log.  Further,  they  also 
use  a  three-valued  semantic  model  similar  to  ours,  but  assume  past-completeness.  Three-valued 
structures  have  also  been  considered  in  work  on  generalized  model  checking  [13,  19].  However,  the 
problems  addressed  in  that  line  of  work  are  different;  the  objective  there  is  to  check  whether  there 
exist  extensions  of  a  given  structure  in  which  a  formula  is  satisfied  (or  falsified). 

Policy  Specification  Several  variants  of  LTL  have  been  used  to  specify  the  properties  of  pro¬ 
grams,  business  processes  and  security  and  privacy  policies  [8,  9,  16,  18,  22],  Our  representation  of 
policies  and  our  logic,  PrivacyLFP,  draw  inspiration  from  LPU  [8]. 

Further,  several  access-control  models  have  extensions  for  specifying  usage  control  and  future 
obligations  [12,  17,  20,  21,  25-27].  Some  of  these  models  assume  a  pre-defined  notion  of  obliga¬ 
tions  [21,  25].  For  instance,  Irwin  et  al  [21]  model  obligations  as  tuples  containing  the  subject  of 
the  obligation,  the  actions  to  be  performed,  the  objects  that  are  targets  of  the  actions  and  the  time 
frames  of  the  obligations.  Other  models  leave  specifications  for  obligations  abstract  [12,  20,  27]. 
Such  specific  models  and  the  ensuing  policies  can  be  encoded  in  our  logic  using  quantifiers  and 
temporal  operators. 

There  also  has  been  much  work  on  analyzing  the  properties  of  policies  represented  in  formal 
models.  For  instance,  Ni  et  al.  study  the  interaction  between  obligation  and  authorization  [25], 
Irwin  et  al.  have  analyzed  accountability  problems  with  obligations  [21],  and  Dougherty  et  al.  have 
modeled  the  interaction  between  obligations  and  programs  [17].  These  methods  are  orthogonal  to 
our  objective  of  policy  enforcement.  It  may  be  possible  to  adapt  ideas  from  these  papers  to  analyze 
similar  properties  of  policies  expressed  in  PrivacyLFP  also. 

Finally,  privacy  languages  such  as  EPAL  [6]  and  privacyAPI  [24]  do  not  include  obligations  or 
temporal  modalities  as  primitives,  and  are  less  expressive  than  our  framework. 

8  Conclusion 

We  have  presented  an  expressive  and  provably  correct  iterative  method  for  enforcing  privacy  policies 
that  works  by  reducing  policies,  even  in  the  face  of  incomplete  system  logs.  Our  method  is  expressive 
enough  to  enforce  real  privacy  legislation  like  HIPAA,  yet  tractable  due  to  a  carefully  designed  static 
analysis.  Under  standard  assumptions  about  system  logs,  we  obtain  methods  to  mechanically 
enforce  safety  and  co-safety  properties. 

Our  planned  next  step  is  to  implement  the  proposed  enforcement  mechanism  and  to  test  its 
performance  on  real  privacy  legislation.  A  specific  goal  is  to  develop  generic  optimization  and 
caching  techniques  that  encompass  all  forms  of  log  incompleteness,  to  the  extent  possible.  Prior 
work  on  runtime  monitoring  may  provide  valuable  insights  in  this  regard,  but  a  significant  challenge 
is  to  generalize  it  beyond  past-completeness. 
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A  Details  from  Section  2 

The  full  definition  of  the  Tp  is  shown  below: 


Poifli  ■  ■  ■  1  tn) 

—  Po(tl,  .  .  .  ,  tn) 

Psif  1)  ■  ■  ■  5  tn) 

=  Ps(ti,  •  •  •  ,  tn) 

T 

=  _L 

X 

=  T 

tp  A  if 

=  Tp\J  if 

tp  V  if 

=  Tp  A  if 

Vx  0  S.(cD  tp) 

=  3x  0  S.(c  A  tp) 

3x  fL  S.(c  A  tp)  =  Vx  0  S.(cD  p) 

The  full  translation  (»)T  from  the  temporal  logic  to  the  sublogic  is  shown  below: 
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(po(h,  ■  ■ 

■Yn)Y 

= 

Poifli  ■  •  ■  i  tn,  T ) 

r  y 

= 

T 

= 

T 

(ci  A  c2)r 

= 

(ci)T  A  (c2)r 

(ci  V  c2)r 

= 

(ciY  V  (c2)r 

( 3x.c)T 

= 

3x.(c)T 

(PoY  l,-. 

Yn)Y 

= 

Poifli  ■  ■  ■  >  tni  T ) 

(Ps(t  !,-• 

■Yn)Y 

= 

Ps(t  l,---,tn,T) 

(T)T 

= 

T 

(-*-)r 

= 

T 

(a  A  P )T 

= 

iaY  A  (PY 

(a  V  P)T 

= 

(«)r  v  (PY 

(-«)T 

= 

(afi 

(Vx.(c  D  a)Y 

= 

Vx.((c)r  D  (a)T) 

(3x.(c  A  a)Y 

= 

3x.((c)T  A  (a)T) 

(|x.a)r 

= 

(u[t/x]Y 

(a  SPY 

3r,.(in(r,,0,r)  A  (PY' 
A  (Vr//.((in(r//,  t',  t)  / 
D  (a)""))) 

(aXJ  PY 

LU 

>  1 
<■  £ 

^  ?  A 
£ 

(□a)T 

= 

Vr,.(in(r,,0,r)  D  (a)T  ; 

(□a)r 

= 

Vr/.(in(r/,  r,  oo)  D  (a)T 

B  Proofs  from  Section  4 


This  appendix  contains  proofs  of  theorems  presented  in  Section  4.  The  proofs  are  presented  in  an 
order  different  from  the  order  of  theorems  in  the  main  body  of  the  paper  because  of  dependencies 
in  the  proofs. 

Lemma  B.l  (Monotonicity).  £  >  C  and  C\=  ip  imply  £  |=  ip. 

Proof.  By  induction  on  <p.  jfj! 

Lemma  B.2  (Consistency).  For  all  L  and  p,  either  L  \f=  <p  or  £  \f=p. 

Proof.  By  induction  on  <p.  □ 

Theorem  B.3  (Correctness  of  sat;  Theorem  4.5).  If  sat(£,  c)  is  defined  then  for  any  substitution 
a'  with  dom((T/)  D  fv(c),  C  |=  ca'  iff  there  is  a  substitution  a  £  sat(£,  c)  such  that  a'  >  a. 

Proof.  By  induction  on  c  and  case  analysis  of  its  top-level  constructor. 
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Case,  c  =  p0(ti ,  •  •  •  ,tn).  Then,  sat(£,  c)  =  sat(£,c).  The  result  follows  from  the  condition  that 
sat  is  required  to  satisfy  (Section  4.3). 

Case,  c  =  T.  Then,  sat(£,c)  =  {•}.  If  £  (=  ccr',  cr'  trivially  extends  •  by  definition.  Conversely, 
any  substitution  cr'  trivially  satisfies  £  j=  Ter'. 

Case,  c  =  _L.  Then,  sat(£,c)  =  {}.  The  result  is  vacuously  true  in  both  directions  because 
£  |^=  la',  and  o'  0  {}. 

Case,  c  =  ci  A  C2.  Then,  sat(£,  c)  =  Uo-ie5St(£  ci)  +  sat(£,  C2<ti).  Clearly,  if  this  exists,  then 
sat(£,ci)  must  be  defined  also,  and  for  each  eri  G  sat(£,  ci),  sat(£,  C2<Ji)  must  also  be  defined. 

Suppose  £  |=  (ci  A  C2)<t'.  By  definition  of  |=,  we  get  £  |=  cicr'  and  £  |=  C2er'.  By  the 
i.h.,  the  former  implies  that  there  is  a  aj  G  sat(£,  ci)  such  that  cr'  >  a This  also  implies 
that  C2 cr'  =  (c2<t i)(j'.  So,  £  |=  C20'  implies  £  (=  (c2<ti  )cr'.  Consequently,  by  the  i.h.  on  C20 \ , 
there  must  be  a  a 2  G  sat(£,C2<ri)  such  that  o'  >  er2.  It  follows  that  cr'  >  cri  +  02.  Clearly, 
(<Ji  +  02)  G  (fJi  +  sat(£,  c2<7i))  C  (UCT1e5it(£,ci)  ai  +  sat(£>  c20i))  =  sat(£,  c),  as  required. 

Conversely,  suppose  that  there  is  a  a  £  Uo-iesat(£  a)  ai  +  sat(£,C2«ri)  and  o'  >  <7  with 
dom(er')  D  fv(cr).  We  need  to  show  that  £  |=  (ci  A  c2)(j'  or,  equivalently,  £  |=  cicr'  and  £  \=  C2 cr' . 
By  set-theory,  there  must  be  a  a\  G  sat(£,  ci)  and  a  02  G  sat(£,  C2<ti)  such  that  cr  =  ci  +  <72- 
Clearly,  u'  >  <ji.  So,  by  the  i.h.,  we  immediately  have  £  \=  c\o' .  Similarly,  a'  >  £72-  So,  by  i.h.  on 
C2<t  1 ,  £  |=  C2(J\o' .  But,  C2cr i<j'  =  C2cr'.  Therefore,  £  |=  C20' ■ 

Case,  c  =  ci  V  C2 .  Then,  sat(£,  c)  =  sat(£,  ci)  U  sat(£,C2).  If  this  is  defined,  then,  clearly,  both 
sat(£,ci)  and  sat (£,02)  must  be  defined. 

Suppose  £  |=  (ci  V  C2)cr'.  By  definition  of  |=,  we  get  that  either  £  |=  ci<t'  or  £  |=  C2cr'. 
We  consider  here  the  former  case  (the  latter  is  similar).  So  £  (=  c\o' .  By  the  i.h.,  there  is  a 
<7  G  sat(£,  ci)  such  that  a'  >  a±.  The  proof  is  complete  by  noting  that  o\  G  sat(£,  ci)  G  sat(£,  c). 

Conversely,  suppose  that  there  is  a  cr  G  sat(£,  ci)  U  sat(£,  C2)  and  er'  >  a  with  dom(<7')  D  fv(cr). 
We  need  to  show  that  £  |=  (ci  V  02)0’  or,  equivalently,  either  £  (=  cicr'  or  £  j=  C2cr'.  From 
cr  G  sat(£,ci)  U  sat(£,C2),  we  get  that  either  0  G  sat(£,  ci)  or  a  G  sat(£,  C2).  Consider  the 
former  case  (the  latter  is  similar):  a  G  sat(£,  ci).  By  i.h.  on  ci,  we  immediately  get  £  |=  ci<7',  as 
required. 

Case,  c  =  3x.c'.  Then,  sat(£,c)  =  sat(£,  c')\{x}.  If  this  is  defined,  then,  clearly,  sat(£,c')  must 
also  be  defined. 

Suppose  £  |=  (z \x.c')a'.  By  definition  of  |=,  there  must  be  a  f  such  that  £  |=  c'[t/x\cr'.  By 
i.h.  on  c',  there  must  be  a  cr  G  sat(£,c')  such  that  (cr'  |[ig  f])  >  a.  Clearly,  cr'  >  cr\{x}  and 
cr \{cc}  G  sat(£,c),  as  required. 

Conversely,  suppose  that  there  is  a  cr  G  sat(£,  c')\{x}  and  a’  >  a  with  dom(cr')  D  fv(c).  We 
need  to  show  that  £  \=  ca' .  Because  cr  G  sat(£,  c')\{x},  there  is  a  cr"  G  sat(£,  c')  and  a  t  such 
that  cr"  =  cr  +  [x  1— )•  t] .  Clearly,  cr'  +  [x  (->•  t]  >  cr  +  [x  1-^  t]  =  cr".  By  i.h.  on  c',  £  |=  c'[t/x]ar ,  which 
implies  (by  definition  of  |=)  that  £  |=  ( 3x.d)a ',  i.e. ,  £  |=  ca' .  □ 

Lemma  B.4  (Duality  of  reduce).  reduce(£,^)  =  reduce(£,  cp). 
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Proof.  By  a  straightforward  induction  on  p.  We  show  some  representative  cases  below. 


Case,  p  =  P.  Then, 


f  T 

if  Pc(P)  =  tt 

reduce(£,P)  = 

if  Pc(P)  =  ff 

l  P 

if  Pc(P)  = 

We  consider  all  three  possible  subcases  on  pc{P).  If  Pc{P)  =  tt,  then,  by  definition,  pc(P)  =  ff, 
so  reduce(£,P)  =  _L  =  T  =  reduce(£,  P).  The  case  of  pc(P)  =  ff  is  similar.  For  pc(P)  =  uu,  we 
have  pc(P)  =  uu,  so  reduce(£,P)  =  P  =  redu ce(£,P). 


Case,  p  =  Vx.(c  D  <p').  Then,  reduce(£,  <£>)  is  calculated  as  follows: 

reduce(£,  Vx.(c  D  p'))  =  let 

-j>i, . .  .,an}  <-  sat (£,  c) 

{ti  <-  oj(x)}f=j 

S  {ti, . . . , tn } 

{tpi  reduce(£,  p'[U/ x])}f=1 

if'  •(—  Vx.((c  A  x  S)  D  p') 
return 

■01  A  . . .  A  ipn  A  if' 

Note  that  p  =  3 x.(c  A  p').  Consequently,  reduce(£,0)  is  calculated  as  follows,  where  we  have 
renamed  some  bound  variables  to  distinguish  them  from  those  in  the  above  display. 

reduce(£,  3x.(c  A  p'))  =  let 

M,  •  ■  -T»}  •«-  sat(£,c) 

{t'  <-  0^(®)}?=i 
^  {I/i  •  ■  ■  ■  ,t'n} 

Wi  p-  reduce(£,^[t'/x])}f=i 
if"  •<—  3x.((c  A  x  0  S")  A  (/?') 
return 

0i  V  ...  v  0;  V  0" 

We  must  have  cq  =  (because  both  are  calculated  using  sat(£,  c))  and,  consequently,  £  =  t!i 
and  S  =  S'.  Thus,  by  the  i.h.,  we  get  that  reduc e(£,  p'ftjx])  =  reduce(£,  p'[ti/x\),  i.e.,  0(  =  ipi. 
Also  observe  that  directly  from  definition  of  duality,  ip"  =  ip'.  Thus,  reduce(£,0)  =  ip^  V  ...  V 
ip'n  V  tp"  =  0i  V  . . .  V  ipn  V  ip'  =  01  A  . . .  A  ipn  A  0'  =  reduce(£,  </?).  □ 

Theorem  B.5  (Correctness  of  reduce;  Theorem  4.2).  If  reduce(£,y:)  =  ip  and  £  >  £,  f/ien 

(1)  £  j=  p  iff  £  |=  0  and  (2)  £  \=  p  iff  £  \=  ip. 

Proof.  First  observe  that  (1)  implies  (2).  Why?  Suppose  (1)  holds  for  all  p.  We  need  to  show  that 

(2)  holds.  So  suppose  reduce(£,<^)  =  ip  and  £  >  £.  By  Lemma  B.4,  reduce(£,0)  =  ip.  Applying 
the  assumed  (1)  to  p  instead  of  p,  we  immediately  deduce  that  £  |=  p  iff  £  |=  ip ,  as  required. 

Hence,  we  only  need  to  prove  (1).  We  do  that  by  induction  on  p,  and  a  case  analysis  of  its 
top-level  constructor. 
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Case,  p  =  P.  Then, 


r  t 

if  Pc(P)  =  tt 

reduce(£,<^)  = 

if  Pc{P )  =  ff 

l  P 

if  Pc{P)  =  uu 

We  consider  three  subcases  on  the  value  of  pc{P)- 

Subcase.  pc(P)  =  tt.  Here,  ip  =  T.  First,  assume  that  £  |=  p.  Then,  we  need  to  prove  that 
£  |=  ip,  i.e,  £  |=  T.  This  follows  directly  from  the  definition  of  |=.  Conversely,  assume  that 
£  |=  ip.  We  need  to  prove  that  £  |=  P.  By  definition,  this  is  equivalent  to  proving  pc(P)  =  tt, 
which  follows  immediately  from  the  subcase  assumption  pc(P)  =  tt  and  the  assumption  £  >  C. 

Subcase.  pc(P)  =  ff •  Here  ip  =  _L.  First,  assume  that  £  |=  p.  We  need  to  show  that  £  |=  ip. 
From  the  subcase  assumption,  we  have  pc{P)  =  ffj  so  the  definition  of  £  >  C  implies  that 
Pc{P )  =  ff-  However,  £  |=  p  implies  £  |=  P ,  i.e.,  pc'{P )  =  tt  -  a  contradiction.  Thus,  £'  |=  ip 
holds  vacuously. 

Conversely,  suppose  that  £  |=  ip,  i.e.,  £  |=  _L.  By  definition  of  |=,  this  is  a  contradiction,  so 
£  |=  p  holds  vacuously,  as  required. 

Subcase.  pc{P)  =  uu.  Here,  p  =  ip  =  P,  so  the  case  is  trivial. 

Case,  p  =  T.  Then,  ip  =  reduce(X,  =  reduce(£,  T)  =  T.  Since  p  =  ip,  the  case  is  trivial. 

Case,  p  =  _L.  Then,  ip  =  reduce(X,  p)  =  reduce(£,  _L)  =  _L.  Since  p  =  ip,  the  case  is  trivial. 

Case,  p  =  p i  A  p2-  Then,  ip  =  reduce(£,  p\)  A  reduce(£,  <^2),  so  both  the  conjuncts  exist. 

First,  suppose  that  £  |=  p,  i.e.,  £  |=  pi  and  £  |=  p2-  By  the  i.h.,  £  \=  reduce(£,  pi)  and 

£  j=  reduce(£,  (^2)  or,  equivalently,  £  \=  ip. 

Conversely,  suppose  that  £  |=  ip.  Then,  £  |=  reduce(£,  pi)  and  £  |=  reduce(X,  P2).  By  the 
i.h.,  £  |=  pi  and  £  |=  P2,  i.e.,  £  |=  p. 

Case,  p  =  pi  V  p2-  Then,  ip  =  reduce(£,  pi)  V  reduce(£,  P2),  so  both  the  disjuncts  exist.  First, 
suppose  that  £  |=  p,  i.e.,  either  £  |=  pi  or  £  |=  p2-  By  the  i.h.,  either  £  |=  reduce(£,  pi)  or 
£  |=  reduce(£,  <^2)-  Equivalently,  £  |=  ip. 

Conversely,  suppose  that  £  |=  ip.  Then,  either  £  \=  reduce(£,  pi)  or  £  |=  reduce(£,  P2).  By 
the  i.h.,  either  £  \=  pi  or  £  |=  P2 .  Equivalently,  £  |=  p. 

Case,  p  =  Vx.(c  D  p').  Then,  ip  =  reduce(£,  p)  is  calculated  as  follows. 

reduce(£,  Mx.{c  D  p'))  =  let 

{<Ti, . . . ,  an}  sat(£,  c) 

{U  4—  aj(x)}^=j 

S  {t\, . . . ,  tn} 

{ipi  <—  reduce(£,<^'[^/f])}f=1 
ip'  A-  Vx.((c  A  x  0  S)  D  p') 
return 

ipi  A  ...  A  ipn  f\  ip' 
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So  ip  =  ipi  A  . . .  A  ipn  A  Vx.((c  A  x  £  S)  D  <£>').  First,  suppose  that  £'  j=  <£>,  i.e.,  £  |= 
Vx.(c  D  <//).  We  need  to  prove  that  £  |=  ip,  i.e.,  £  \=  ipi  and  £  \=  Vx.((c  A  x  0  S)  D  ip').  We 
first  prove  that  £  \=  ipi.  Because  reduce(£,  (p'[ti/x\)  =  ipi,  by  the  i.h. ,  it  suffices  to  show  that 
£  |=  ip'[ti/x\.  From  the  definition  of  £  |=  Vx.(c  D  ip'),  either  £  \=  c[ti/x\  or  £  \=  tp'[ti/x\.  Hence, 
it  suffices  to  prove  that  £  \£  c[U/x\.  Suppose,  for  the  sake  of  contradiction,  that  £  |=  c[ti/x\. 
Since  <7*  E  sat(£,  c),  Theorem  B.3  yields  C  j=  ccq,  i.e.,  £  |=  c[ti/x\  (note  that  because  Vx.(c  D  iff) 
is  closed,  fv(c)  C  x:  so  c\tjjx\  =  ccr*).  Hence,  by  Lemma  B.l,  £  |=  c[ti/x],  which,  by  Lemma  B.2, 
contradicts  the  earlier  fact  £  \=  c[t,t/x\. 

Next,  we  show  that  £  \=  Vx.((c  A  x  0  S)  D  ip').  Following  the  definition  of  (=,  pick  any  t.  We 
show  that  either  £  |=  (c  A  x  0  S)[t/x\  or  £  j=  ip'[t/x\.  Since  we  assumed  that  £  |=  V.x.(c  D  ip'), 
either  £  |=  c[t/x\  or  £  |=  ip'[t/x).  The  proof  is  complete  by  observing  that  £  \=  c[t/x\  implies 
£  \=  (c  A  x  0  S)[t/x\. 

Conversely,  assume  that  £  |=  ip,  i.e.,  £  |=  ipi  and  £  |=  Vx.((c  A  x  0  S)  D  ip').  We  need  to 
prove  that  £  |=  ip,  i.e.,  £  |=  Vx.(c  D  ip').  Following  the  definition  of  |=,  pick  any  t.  We  need  to 
prove  that  either  £  (=  c[t/x\  or  £  \=  ip'[t/x}.  We  consider  two  subcases.  Either  t  E  S  or  t  0  S. 

Subcase,  t  E  S.  Then,  t  =  L  for  some  i.  Since  reduce(£,  (p'[ti/x\)  =  ipi  and  £  (=  ip^,  by  the  i.h. 
we  get  £  |=  ip'[ti/x],  as  required. 

Subcase,  t  0  5.  We  already  know  that  £  \=  Vx.((c  A  x  0  S)  D  ip').  So,  either  £  (= 
(c  A  x  0  S)[t/x\  or  £  \=  <p'[t/x\.  If  the  latter,  we  are  done,  so  assume  the  former.  Thus,  £  |= 
(c  A  x  0  S)[t/x\,  i.e.,  £  |=  c[t/x\  V  t  E  S.  This  immediately  implies  that  either  £  |=  c[t/x\  or 
t  E  S.  The  former  case  is  sufficient  for  our  purpose,  and  the  latter  case  contradicts  the  subcase 
assumption. 

Case,  ip  =  3x.(c  A  ip').  Then,  reduce(£,  <£>)  is  calculated  as  follows. 

reduce(£,  3x.(c  A  ip'))  =  let 

{cti,  . . .  ,an}  <—  sat (C,c) 

{tl  <—  aj{x)yp=j 
S  <r~  {t\,  .  .  .  ,  tn} 

{ipi  <—  redu ce(£,ip'[ti/x\)}f=1 
ip'  <—  3x.({c  A  x  S)  A  ip') 
return 

Ipl  V  .  .  .  V  1pn  V  Ip' 

So,  ip  =  ipi  V  ...  V  ipn  V  3x.((c  A  x  0  S)  A  p').  First  suppose  that  £  \=  ip.  We  show 
that  £  |=  ip.  Following  the  definition  of  |=  on  £  |=  ip,  we  obtain  a  t  such  that  £  |=  c[t/x\  and 
£  |=  ip'[t/x\.  We  consider  two  subcases:  either  t  E  S  or  t  pP  S. 

Subcase,  t  E  S.  So,  t  =  U  for  some  i  and  from  £  |=  ip'[t/x\  we  obtain  £  \=  ip'[ti/x\.  Since 
reduce(£,  (p'[ti/x\)  =  ipi,  by  the  i.h.,  we  get  £  |=  ipi,  which  immediately  implies  £  |=  ip. 

Subcase,  t  $  S.  Combining  this  and  £  |=  c[t/x\,  we  get  £  |=  (c  A  x  <pL  S)[t/x\.  Since  £  (=  ip'[t/x\, 
we  derive  from  the  definition  of  |=  that  £  |=  3x.((c  A  x  0  S)  A  ip').  This  immediately  yields  £  \  =  ip. 
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Conversely,  suppose  that  Cl  (=  ip.  We  show  that  C  (=  <p.  Cl  |=  ip  implies  that  either  Cl  |=  ipi 
for  some  i  or  Cl  |=  3x.((c  A  x  0  S)  A  <//).  We  consider  both  subcases  below. 


Subcase.  C  |=  ipi.  Since  reduce(£,  ip'[ti/x])  =  ipi,  by  the  i.h.,  Cl  |=  p'[U/x\.  Further,  observe  that 
because  o  *  E  sat(£,c)  and  dom(<7j)  3  f  D  fv(c)  (the  latter  because  3x.(c  D  y/)  must  be  closed), 
Theorem  B.3  yields  £  |=  ccq  and,  hence,  £  |=  c[£/x].  By  Lemma  B.l,  Cl  |=  c[ti/x\.  Since  we  have 
already  derived  Cl  \=  p'[ti/x\,  the  definition  of  |=  yields  that  Cl  |=  3a:.  (c  A  p'),  as  required. 


Subcase.  Cl  |=  3x.((c  A  x  0  S)  A  Thus  there  must  be  a  t  such  that  Cl  |=  c[t/x\,  t  ^  S, 
and  £  |=  p'[t/x\.  The  first  and  third  facts  in  the  last  sentence  imply  that  C  |=  3x.(c  A  p'),  as 
required.  □ 

Theorem  B.6  (Totality  of  sat;  Theorem  4.7).  If  xi  ^  c  :  XO,  then  for  all  structures  C  and 
all  substitutions  a  with  dom(cr)  D  xi>  sat(£,  ca)  is  defined  and,  further,  for  each  substitution 
o'  E  sat(£,  ccr),  xi  U  dom(cr/)  D  xo- 

Proof.  By  induction  on  the  given  derivation  of  x/  h  c  :  x.O  and  case  analysis  of  its  last  rule. 


Vfc  E  I(po)-  fv(4)  C  xi  XO  =  XI  U  (  1J  f v(tj)) 


Case. 


jeO(p0 ) 


XI  1“  Po(t i,  ■  ■  ■  ,tn)  :  xo 

We  are  given  o  such  that  dom(cr)  D  xi ■  From  this  and  the  first  premise  it  follows  that 
Vfc  E  I{po)-  ground(ifccr).  Thus,  by  definition,  s&t(C,po(ti, . . .  ,tn)o)  is  defined.  Consequently, 
sat(£,po(ti, . . . ,  tn)o),  which  equals  sat(£,po(fi, . . .  ,tn)o)  is  also  defined.  Pick  any  o'  E 
sat(£,po(ti, . . . ,  tn)o).  By  definition  of  sat,  dom(cr/)  3  U jeO(po)  ^v(^)‘  Consequently,  xi  U 
dom(cr/)  D  xi  U  (U jeOtpo)  —  TO)  where  the  last  relation  follows  from  the  second  premise. 


Case.  - 

XI  -XI 

Suppose  dom(cj)  D  xi ■  Note  that  sat(£,Tcr)  =  sat(£,T)  =  {•}  is  always  defined.  If  o'  E  {•}, 
then  o'  =  •.  Clearly,  xi  U  do^l(lT,)  =  xi  U  dom(»)  =  xj  =  Xo- 


Case.  - 

Xi  1  - L  :  XI 

Suppose  dom((j)  D  Note  that  sat(£,  Ter)  =  sat(£,  T)  =  {}  is  always  defined.  Because  there 
cannot  be  a  o'  E  {},  the  rest  of  the  proof  holds  vacuously  in  this  case. 


Case. 


XI  1  ci  :  x  Xl  c 2  :  XO 
XI  1  C!  A  c2  :  XO 


Suppose  dom(cr)  D  xi-  By  i.h.  on  the  first  premise,  sat(£,cicr)  is  defined.  Let  sat(£,  cicr)  = 
{<7i, . . . ,  on}.  Also  by  the  i.h.,  \7  U  dom(fjj)  D  x-  Call  this  fact  (A).  Since  dom(cr)  A  x/>  fact 
(A)  implies  dom(er  +  Oi)  D  x ■  Using  the  latter,  by  i.h.  on  the  second  premise  and  each  of 
{o  +  ci, . . . ,  o  +  on},  we  obtain  that  each  of  sat(£,  c2ooi)  are  also  defined  for  each  i  and  V<r'  E 
sat(£,  c2ooi),  x  U  dom(cr()  D  xo-  Call  the  last  fact  (B).  We  immediately  have  that  sat(£,  (ci  A 
C2 )a)  =  UCTleSit(£,Cl<7)  ^x(C,c2ooi)  is  also  defined. 

Pick  any  o'  E  sat(£,  (ci  A  C2)cr).  Then  for  some  i  and  some  o\  E  sat(£,  C2cr<7i),  we  have 
o'  =  Oi  +  o[.  We  want  to  show  that  xi  U  don^c')  D  xo-  Or,  equivalently,  xi  U  dom(crj  +  o[)  A  xo- 
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However,  x/Udom((jj  +  cj-)  =  x/Udom(t7j)Udoni(<7^)  D  xUdom(<r')  D  xo,  where  the  last  two  relations 
follow  from  facts  (A)  and  (B),  respectively. 


„  X/  b  c i  :  xi  XJ  b  c2  :  X2 

Case.  - 

Xi  b  ci  V  c2  :  Xi  n  X2 

Suppose  dom(cr)  D  xi-  By  i.h.  on  the  first  premise,  sat(£,  c\a)  is  defined  and  Vcd  G  sat(£,  ci<r), 
X/Udom((j/)  D  xi-  Call  this  fact  (A).  Similarly,  by  i.h.  on  the  second  premise,  sat(£,  c2cr)  is  defined 
and  Veb  G  sat(£,  C2cr),  xi  U  dom(<7/)  D  X2-  Call  this  fact  (B).  By  definition  of  sat,  sat(£,  (ci  V 
c2)cr)  =  sat(£,  ci  a)  U  sat(£,  c2cr)  is  defined. 

Pick  any  a'  G  sat(£,  ci<r)  U  sat(£,  c2cr).  We  want  to  show  xj  U  dom(<T/)  D  xo-  Either 
a'  G  sat(£,  cicr)  or  a’  G  sat(£,c2cr).  Consider  the  former  case  (the  other  case  is  similar).  We 
have  xi  U  dom(cr/)  D  xi  2  Xi  H  X2  =  X0 ,  where  the  first  relation  follows  from  fact  (A). 


Case. 


XI  b  c  :  Xo 


Xi  b  3x.c  :  Xo\{x\ 

Suppose  dom(ir)  A  xi-  By  i.h.  on  the  premise,  sat(£,ccr)  is  defined  and  Vcr"  G  sat(£,  ca), 
Xi  U  dom(cr//)  A  x'o ■  Call  the  latter  fact  (A).  By  definition  of  sat,  sat(£,  3 x.c)  =  sat(£,  c)\{x}  is 
dehned. 

Pick  any  a 1  G  sat(£,  c)\{x}.  We  want  to  prove  that  xi  U  dom(o'/)  A  Xo\{x}-  However, 
a’  G  sat(£,  c)\{a:}  implies  (by  definition)  that  there  is  a  a"  G  sat(£,  c)  such  that  a’  =  fj"\{x}. 
Thus,  xi  U  dom(iT/)  =  xi  U  (dom(cj//)\{a:})  A  Xo\{x'}-  The  last  inclusion  follows  from  fact  (A).  □ 


Lemma  B.7.  If  xi  b  c  :  XO ,  then  xo  Xi  U  fv(c). 

Proof.  By  a  straightforward  induction  on  the  given  derivation  of  Xj  b  c  :  xo- 


□ 


Lemma  B.8  (Mode  substitution).  The  following  hold: 

1 ■  IfXl^c-  XO,  then  x/\dom(cr)  b  ca  :  xo\dom(cj). 

2.  If  x  b  ip,  then  x\dom(<r)  b  tpcr. 

Proof.  By  induction  on  the  given  derivations  of  xi  b  c  :  xo  and  x  b  ip.  Q 

Lemma  B.9  (Mode  weakening).  The  following  hold: 

1.  If  X/  b  c  :  xo  and  x'i  2  Xi,  then  there  is  a  x'o  2  Xo  such  that  x'i  b  c  :  x'o- 
Ifx^V  and  x'  2  X,  then  x'  b  ip. 


Proof.  By  induction  on  the  given  derivations  of  X7  b  c  :  xo  and  x  b  ip.  □ 

Theorem  B.10  (Totality  of  reduce;  Theorem  4.8).  If  b  ip  then  there  is  a  if  such  that  reduce(£,  tp)  = 
if  and  b  if. 

Proof.  We  prove  a  more  general  result:  If  x  b  ip  and  dom(cr)  D  x,  then  there  is  a  if  such  that 
red  uce(£,  ipa)  =  if  a  and  x  b  if.  The  statement  of  the  theorem  follows  by  choosing  x  =  {}  and 
a  =  •  in  this  result.  We  proceed  by  induction  on  the  assumed  derivation  of  x  b  ip,  and  case  analysis 
of  its  last  rule. 
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\/k.  f v(4)  C  x 


Here,  p  =  p(t\, . . . ,  t^).  Suppose  dom(cr)  D  x-  Due  to  the  premise,  p(t±, . . .  ,tn)a  is  ground. 
Hence,  sat(£,p(H, . . . ,  tn)a)  is  defined.  Depending  on  whether  it  is  tt,  ff,  or  uu, 
reduce(£,p(ti, . . . ,  tn)a)  is  T,  _L  or  p(ti, . . .  ,tn)a  respectively.  Accordingly,  we  choose  ip  =  T, 
ip  =  _!_  or  ip  =  p(ti,  ■  ■  ■ ,  tn).  In  each  case,  x  b  V’- 


Case.  - 

xbT 

Here,  p  =  T.  Suppose  dom(<7)  A  x-  Clearly,  we  can  choose  ip  =  T  because  reduce(£,  Ter)  = 
T  =  ipa  and  x  b  T,  i.e. ,  x  b  ip. 

Case.  - 

X  1“  -L 

Here,  p  =  _L.  Suppose  dom(<r)  D  x-  Clearly,  we  can  choose  ip  =  _L  because  reduce(£,  _l_cr)  = 
_L  =  ipa  and  x  b  -L,  he.,  x  b  V’ ■ 


Case. 


X  b  pi  X  b  P2 


X^lA<?2 

Here,  p  =  p\  A  p2-  Suppose  dom(cr)  D  x-  Dy  i.h.  on  the  first  premise,  there  is  a  ip\  such  that 
reduce(£,  p\a)  =  ip\o  and  x  b  V’l-  Similarly,  by  i.h.  on  the  second  premise,  there  is  a  ip2  such 
that  reduce(£,  P2&)  =  ip2&  and  x  b  ip2-  By  definition  of  reduce,  reduce(£,  pa)  =  reduce(£,  {p\  A 
<^2)cr)  =  reduce(£,  p\a)  A  reduce(£,  p2&)  =  ip\a  A  ip2(J.  Further,  x  b  ip\  A  ip2  follows  from  x  b  ipi 
and  x  b  ip2-  So  we  can  choose  ip  =  ip\  A  ip2- 


Case. 


X  b  pi  x  b  P2 


X  b  pi  V  p2 

Here,  p  =  p\  V  p2-  Suppose  dom(<j)  D  x-  By  i.h.  on  the  first  premise,  there  is  a  ipi  such  that 
reduce(£,  =  ip\a  and  x  b  ip\.  Similarly,  by  i.h.  on  the  second  premise,  there  is  a  ip2  such 
that  reduce(£,  p2cr)  =  ip2<J  and  x  b  ip2-  By  definition  of  reduce,  reduce(£,  <^cr)  =  reduce(£,  (p\  V 
P2 )a)  =  reduce(£,  <^i<r)  V  reduc e(C,p2a)  =  ip\a  V  ip2<J-  Further,  x  b  ip\  V  ip2  follows  from  x  b  ipi 
and  x  b  ip2-  So  we  can  choose  ip  =  ip\  V  ip2- 


„  X  b  c  :  xo  x  C  xo  f  v(c)  C  x  U  x  XO  b  p 

Case.  - - - 

X  b  Vf.(c  D  p  ) 

Here,  p  =  Vx.(c  D  p').  Suppose  dom(<r)  A  x-  By  Theorem  B.6  on  the  first  premise,  there  is  a  set 
{a i, . . . ,  an}  =  sat(£,  ccr)  such  that  for  each  <7j,  x  U  dom(cjj)  D  xo-  Call  the  latter  fact  (A).  From 
the  second  premise  and  fact  (A)  we  also  derive  that  xUdom(<7j)  D  x.  Since  x  must  be  chosen  fresh 
in  the  premise,  this  also  implies  that  dom(crj)  A  x.  Consequently,  ai[x)  is  defined.  Let  ai(x)  =  ti 
and  let  S  =  {t i , . . . ,  tn}.  Further,  note  that  by  Lemma  B.7  on  the  first  premise,  xo  Q  X  U  fv(c). 
Hence,  from  the  third  premise  we  obtain  xo  Q  X  U  x  U  x  =  x  U  x.  So,  dom(er)  U  x  A  x  U  x  D  xo- 
Call  this  fact  (B).  From  the  i.h.  applied  to  the  last  premise  and  fact  (B)  we  get  the  existence  of  ipi 
such  that  reduc e(C,p'a[ti/x\)  =  ipia[ti/x\  and  xo  b  ipi.  Call  this  fact  (C). 

By  definition  of  reduce,  we  obtain  reduce(£,  pa)  =  ipia[t\/x\  A  ...  A  ipna[tn/x\  A  ip' a,  where 
ip'  =  Vx.((c  A  x  0  S)  D  p').  Choose  ip  =  ipi[ti/x\  A  ...  A  ipn[tn/x]  A  ip' .  It  only  remains  to  show 
that  x  b  ip.  This  is  equivalent  to  showing  that  x  b  ipi[ti/x]  and  x  b  ip' .  The  latter,  which  is  equal  to 
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y  1“  Vx.((c  A  x  0  S)  D  (p'):  follows  from  the  four  premises  of  the  rule  above.  It  remains  to  show  that 
X  b  ipi[U/  x\.  Applying  Lemma  B.8  to  fact(C),  we  derive  that  xo\x  b  ipi[U/x\ .  Since  we  already 
derived  that  \o  C  xUf,  we  also  have  xo\x  C  X ■  Hence,  by  Lemma  B.9,  we  get  x  b  ipi[U/x\,  as 
required. 

„  X  b  c  :  xo  xQxo  f  v(c)  CxUi  Xo  b  p' 

Case.  - 

X  b  3a:. (c  A  p  ) 

Here,  p  =  3 x.{c  A  p').  Suppose  dom(cr)  D  y.  By  Theorem  B.6  on  the  first  premise,  there  is  a  set 
{<7i, . . . ,  ern}  =  sat(£,  ccr)  such  that  for  each  <7j,  y  U  dom(cr,:)  D  xo ■  Call  the  latter  fact  (A).  From 
the  second  premise  and  fact  (A)  we  also  derive  that  y  Udom(<7j)  D  x.  Since  x  must  be  chosen  fresh 
in  the  premise,  this  also  implies  that  dom(cr);)  D  x.  Consequently,  afix)  is  dehned.  Let  afix)  =  U 
and  let  S  =  {4, . . .  ,tn}.  Further,  note  that  by  Lemma  B.7  on  the  first  premise,  y  o  CyU  fv(c). 
Hence,  from  the  third  premise  we  obtain  xo  CxUyUf=yUf.  So,  dom(er)  UxdyUf  D  xo- 
Call  this  fact  (B).  From  the  i.h.  applied  to  the  last  premise  and  fact  (B)  we  get  the  existence  of 
such  that  reduce(£,  ip'a[ti/x\)  =  ipicr[ti/x\  and  y o  b  ipi.  Call  this  fact  (C). 

By  definition  of  reduce,  we  obtain  reduce(£,  pa)  =  ipia[ti/x]  V  ...  V  ipn&[tn/x\  V  ip'a,  where 
ip1  =  3x.((c  A  x  0  5)  A  p').  Choose  ip  =  ip\[ti/x\  V  ...  V  ipn{tn/x\  V  ip' .  It  only  remains  to  show 
that  yb^i.  This  is  equivalent  to  showing  that  y  b  ipi[ti/x]  and  y  b  ip'.  The  latter,  which  is  equal  to 
y  b  3 x.((c  A  x  0  S)  A  p'),  follows  from  the  four  premises  of  the  rule  above.  It  remains  to  show  that 
X  b  ipi[ti/  x\.  Applying  Lemma  B.8  to  fact(C),  we  derive  that  xo\x  b  ipi[ti/x\.  Since  we  already 
derived  that  xo  C  yUf,  we  also  have  y o\x  C  y.  Hence,  by  Lemma  B.9,  we  get  y  b  ipi[ti/x\,  as 
required.  □ 

Lemma  B.ll  (Totality  of  atoms).  Suppose  y  b  p  and  dom(cj)  D  y.  Then,  atoms(£,  pa)  is  defined 
and  ground. 

Proof.  By  induction  on  the  given  derivation  of  y  b  p  and  case  analysis  of  its  last  rule. 


Case. 


Mk.  f  v(4)  C  y 


y  bp(H,...,4) 

Here  p  =  p(t\, . . . ,  4)-  From  the  premise  and  given  condition  dom(fj)  D  y,  we  know  that 
p(t\, . . . ,  tk)cr  is  ground.  Clearly,  then  atoms (C,p(t\, . . .  =  {p(t\, . . . ,  tif)a}  is  dehned  and 

ground. 


Case. 


X  b  T 

Here  p  =  T.  So  atoms(£,  pa)  =  atoms(£,  T)  =  {}  is  dehned  and  ground. 


Case. 


X  b  T 

Here  p  =  _L.  So  atoms(£,  pa)  =  atoms(£,  _L)  =  {}  is  dehned  and  ground. 


Case. 


X  b  p\  X  b  P2 


X  b  pi  A  p2 

Here  p  =  p\  A  p2 ■  By  the  i.h.  applied  to  the  premises,  atoms(£,  pia)  for  i  =  1,  2  is  dehned  and 
ground.  It  follows  that  atoms(£,  pa)  =  atoms(£,  p\a  A  P2&)  =  atoms (£,  p\a)  U  atoms (£,  p2<x)  is 
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also  defined  and  ground. 


Case. 


X  b  £1  X  I-  £2 


X  1“  £1  V  p2 

Here  p  =  p\  V  p2-  By  the  i.h.  applied  to  the  premises,  atoms(£,  pia)  for  i  =  1,  2  is  defined  and 
ground.  It  follows  that  atoms(£,  (pa)  =  atoms(£,  p\a  V  p2a)  =  atoms (£,  p\a)  U  atoms (£,  ^2fJ)  is 
also  defined  and  ground. 


„  X  1“  c  :  xo  xCXo  f  v(c)  C  y  U  f  Xo  b  £>' 

Case.  - 

X  b  Vx.(c  D  v? ) 

Here  ip  =  \/x.(c  D  <//).  By  Theorem  B.6  on  the  first  premise  and  the  given  condition  dom(cr)  D  x> 
sat(£,  ca )  is  defined  and  for  all  a'  G  sat(£,  or),  xUdon^o7)  3  xo-  The  latter  implies  that  for  all  a'  G 
sat(£,  ccr),  dom((Tcr/)  D  xo-  By  i-h.  on  the  last  premise,  for  each  o'  G  sat(£,  ca),  atoms(£,  ip'cra')  is 
dehned  and  ground.  Hence,  by  definition,  atoms(£,  ipa)  =  Uo-'esat (Car)  atoms (C,p'aa')  is  defined 
and  ground. 


„  X  b  c  :  xo  T  C  xo  f  v(c)  C  x  U  x  XO  b  </?' 

Case.  - - - 

X  b  3x.(c  A  ip  ) 

Here  ip  =  3x.(c  A  ip').  By  Theorem  B.6  on  the  first  premise  and  the  given  condition  dom(cr)  D  X, 
sat (£,  ccr)  is  defined  and  for  all  a'  G  sat(£,  ca),  x'Udom(cj/)  D  xo ■  The  latter  implies  that  for  all  a'  G 
sat(£,  ca),  dom(aa')  D  xo ■  By  i.h.  on  the  last  premise,  for  each  a'  G  sat(£,  ccr),  atoms(£,  ip'aa1)  is 
dehned  and  ground.  Hence,  by  definition,  atoms(£,  ipa)  =  UCT'esat(£  ca)  atoms(£,  ip' aa')  is  dehned 
and  ground.  □ 

Theorem  B.12  (Minimality;  Theorem  4.3).  Suppose  b  ip  and  reduce(£,  ip)  =  ip.  Then  atoms(£,  ip)  C 
atoms (£,  ip)  n  {P  \  pc(P)  =  uu}. 

Proof.  By  Lemma  B.ll,  atoms(£,<^)  is  dehned.  Further,  by  Theorem  B.10,  b  ip,  so  atoms(£,  ip)  is 
also  dehned.  Hence,  the  statement  of  the  theorem  makes  sense.  We  prove  the  relation  atoms(£,  ip)  C 
atoms (£,y>)  n  {P  |  Pc{P)  =  uu}  by  induction  on  ip  and  case  analysis  of  its  form.  Let  U  = 
{P  I  Pc{P)  =  uu}.  We  want  to  show  that  atoms(£,,0)  C  atoms(£,</?)  n  U. 


Case,  ip  =  P  where  P  is  either  a  subjective  or  an  objective  atom.  We  perform  a  sub-case  analysis 
on  pc(P). 

Subcase.  pc(P)  =  tt.  Then,  ip  =  T.  So,  trivially,  atoms(^)  =  {}  C  atoms(£,<£>)  n  U. 

Subcase.  pc{P)  =  ff-  Then,  ip  =  _L.  So,  trivially,  atoms  (ip)  =  {}  C  atoms(£,  <£>)  n  U. 

Subcase.  pc{P)  =  uu.  Then,  ip  =  P.  Further,  in  this  case,  atoms(£,  ip)  =  {P}  =  atoms(£,y?)  and 
P  G  U  (the  latter  by  definition  of  U).  Clearly,  atoms(£,^)  C  atoms(£,  ip)  n  U. 

Case,  p  =  T.  Here,  ip  =  T.  So,  trivially,  atoms^)  =  {}  C  atoms(£,  p)  n  U. 

Case,  p  =  _!_.  Here,  ip  =  _L.  So,  trivially,  atoms  (ip)  =  {}  C  atoms(£,  p)  n  U. 
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Case,  ip  =  (pi  A  ip2-  Then,  ip  =  reduce(£,  ip{)  A  reduce(£,  1P2).  By  inversion  on  the  derivation 
of  b  y?,  we  know  that  b  p>\  and  b  ip2 ■  Hence,  by  the  i.h.,  for  i  =  1,2,  atoms(£,  reduce(£,  ipp))  C 
atoms(£,  ippnU.  Thus,  we  have,  atoms(£,  ip)  =  atoms(£,  reduce(£,  <^i))Uatoms(£,  reduce(£,  ip 2))  C 
(atoms(£,  tp±)  n  U)  U  (atoms(£,  <^2)  fi  U)  =  (atoms(£,  ipi)  U  atoms(£,  <p2))  H  U  =  atoms(£,  <p)  n  U . 


Case.  <p  =  ipi  V  p>2 ■  Then,  ip  =  reduce(£,  ipi)  V  reduce(£,  <^2)-  By  inversion  on  the  derivation 
of  b  ip,  we  know  that  b  <p\  and  b  p2-  Hence,  by  the  i.h.,  for  i  =  1,2,  atoms(£,  reduce(£,  ipi))  C 
atoms(£,  tppnU.  Thus,  we  have,  atoms(£,  ip)  =  atoms(£,  reduce(£,  <^i))Uatoms(£,  reduce(£,  <^2))  C 
(atoms(£,  ip\)  C\U)  U  (atoms(£,  <^2)  H  U)  =  (atoms(£,  ipi)  U  atoms(£,  <^2))  H  U  =  atoms(£,  ip)  n  U . 


Case,  ip  =  Vx.(c  D  ip').  Then, 

ip  =  reduce(£,  ip)  =  let 

{ai,...,an}  sat(£,c) 

{tl  <-  aj{x)}f=j 
S  {t  1 , . . . ,  tn } 

{ipi  <-  redu ce(£,ip'[ti/x\)}?=1 
ip'  A-  Vx.((c  A  x  S)  D  ip') 
return 

ipi  A  . . .  A  ipn  A  ip' 


By  inversion  on  the  given  derivation  of  b  ip,  we  know  that  there  is  a  xo  such  that  (1)  {}  b  c  :  XOi 
(2)  x  C  XO;  (3)  fv(c)  C  x,  and  (4)  xo  b  </?'.  By  Lemma  B.7  on  (1),  xo  C  fv(c).  From  this,  (2), 
and  (3),  it  follows  that  x  =  fv(c)  =  xo •  Call  this  fact  (A).  Using  Lemma  B.8  on  (4),  we  get 
Xo\x\~  ip'[ti/x\.  This  and  fact  (A)  imply  that  b  ip'[ti/x\.  Call  this  fact  (B).  By  the  i.h.  on  fact  (B) 
and  ipi  <—  reduce(£,  ip'[ti/x]),  we  get  that  atoms(£,  ipi)  C  atoms(£,  <p'[ti/x])  n  U.  Call  this  fact  (C). 

Next,  sat(£,  (c  A  x  0  S))  =  U^siUCAc)^'  +  sat  (A  a'(x)  0  S))  =  (j£=i  {°i  +  sat  (£,£  0  S))  = 
U™=i (ai  +  {})  =  {}•  Hence,  by  definition,  atoms (£,  ip')  =  atoms (£,Vx.((c  A  x  0  S')  D  <//))  =  {}. 
Call  this  fact  (D). 

Also,  atoms(£,  ip)  =  atoms (£,  Va?.(c  D  (//))  =  U<T£sat(£  c)  atoms(£,  (//cr)  =  U”=i  atoms(£,  ip'  op)  = 
U"=1  atoms(£,^[£/x])  (the  last  equality  follows  from  f v(</b)  C  x,  which  in  turn  follows  from 
fact  (B)).  Call  this  fact  (E). 

Finally,  we  have, 


atoms(£,  ip) 


=  atoms(£,  ipi  A  . . .  A  ipn  A  1//) 

=  atoms(£,  ip')  U  (U"=i  atoms(£,  ipi)) 
=  {}  U  (Ur=i  atoms(£,  ipi)) 

=  Ur=iat0^(AA) 

c  Ur=i(atoms(A  tflU/x ])  n  u) 

=  (U"=i  atoms(A  ip'[il/x\))  n  U 
=  atoms(£,  ip)  n  U 


(Defn.  of  atoms) 
(Fact  (D)) 

(Fact  (C)) 

(Fact  (E)) 
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Case,  (p  =  3x.(c  A  ip').  Then, 


tp  =  reduce(£,  ip)  =  let 

{ai,...,an}  sat(£,c) 

{ti  Ar-  (Tj{x)}2=j 

S  A—  {ti,  .  .  .  ,  tn} 

{tpi  A-  redu ce(£,ip'[ti/x\)}f=1 
tp'  <—  3x.((c  A  x  0  S)  A  ip') 
return 

tpi  V  . . .  V  tpn  V  ip' 

By  inversion  on  the  given  derivation  of  h  p,  we  know  that  there  is  a  xo  such  that  (1)  {}  h  c  :  XOi 
(2)  x  C  xo-,  (3)  fv(c)  C  x.  and  (4)  xo  1“  v'  ■  By  Lemma  B.7  on  (1),  xo  Q  f v(c).  From  this,  (2), 
and  (3),  it  follows  that  x  =  f v(c)  =  xo-  Call  this  fact  (A).  Using  Lemma  B.8  on  (4),  we  get 
Xo\x\~  p'[ti/x\.  This  and  fact  (A)  imply  that  h  p'[ti/x\.  Call  this  fact  (B).  By  the  i.h.  on  fact  (B) 
and  ipi  A—  reduce(£,  ip'[ti/x\),  we  get  that  atoms(£,  tpi)  C  atoms(£,  p'[ti/x])  n  U.  Call  this  fact  (C). 

Next,  ilt(£,  (c  A  x  0  S))  =  Ua'eilt(£,c)(cj/  +  sat(£,<r'(®)  0  S))  =  UiU (*i  +  sat (£,£  0  5))  = 
(J”=]  (pi  +  {})  =  {}•  Hence,  by  definition,  atoms (C,tp')  =  atoms (£,  3x.((c  A  x  0  5)  A  </?'))  =  {}. 
Call  this  fact  (D). 

Also,  atoms(£,  tp)  =  atoms(£,  3x.{c  A  <p'))  =  Uo-esat(£  c)  atoms(£,  y/cr)  =  (J”_i  atoms(£,  ip'  of)  = 
U'i=1  atoms (£,  (^'[U/x])  (the  last  equality  follows  from  fv(ip')  C  x,  which  in  turn  follows  from 
fact  (B)).  Call  this  fact  (E). 

Finally,  we  have, 

atoms(£,  tp) 


C 


□ 


atoms(£,  tpi  V  . . .  V  tpn  V  tp') 
atoms(£,  tp')  U  (UT=i  atoms(£,  tpi)) 
{}  U  (UILx  atoms(£,  tpi)) 

Ur=i  atoms(£,  V’j) 

U?=1(atoms(£,  p'[ti/x})  C  U) 

(U*Li  atoms (£,  ip'[ti/x\))  C  U 
atoms(£,  ip)nU 


(Defn.  of  atoms) 
(Fact  (D)) 

(Fact  (C)) 

(Fact  (E)) 


C  Proofs  from  Section  5 

This  appendix  contains  proofs  of  theorems  presented  in  Section  5. 

Lemma  C.l.  Suppose  tp  does  not  contain  any  quantifiers  or  objective  atoms.  Then,  tp  — >*  tp'  such 
that  (1)  tp'  is  either  T,  or  _L,  or  contains  only  subjective  atoms  and  the  connectives  A,  V,  and 
(2)  For  all  structures  £  ,  £  |=  tp  iff  £  |=  tp'  and  £  |=  tp  iff  C  |=  tp' . 

Proof.  By  induction  on  tp.  If  tp  is  either  T,  _L,  or  Pg,  we  can  choose  tp'  =  tp. 

If  tp  =  tpi  A  tp2 ,  then  we  inductively  rewrite  both  tpi  and  tp2  to  tp[  and  tp2,  respectively.  Thus, 
tpi  A  tp2  — >*  tp[  A  tp2.  If  either  tp[  or  tp2  equals  T,  then  tp\  A  tp'2  — >•  _L  and  we  choose  tp'  =  T.  If 
tp'i  =  T,  then  tp[  A  tp'2  >  tp'2,  so  we  can  choose  tp'  =  tp'2.  Similarly,  if  tp2  =  T,  then  tp[  A  tp'2  — s ►  tp[,  so 
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we  can  choose  ip'  =  ip'i-  Finally,  if  both  ip[  and  ip'2  contain  only  subjective  atoms  and  connectives 
A,  V,  then  we  choose  ip'  =  ip[  A  ip'2. 

The  case  of  ip  =  ip\  V  ip2  is  similarly  handles.  No  other  cases  apply.  □ 

Lemma  C.2.  If  £  is  objectively-complete,  then  for  all  restrictions  c,  either  £  \=  c  or  £  \=c. 

Proof.  By  induction  on  c.  Q 

Lemma  C.3.  If  £  is  objectively-complete  and  £'  >  £,  then  for  all  restrictions  c,  £'  \=  c  iff  £  \=  c. 

Proof.  Suppose  £!  >  £.  Observe  that  because  £  is  objectively-complete,  £1  and  £  agree  on  valua¬ 
tion  of  objective  atoms,  which  are  the  only  atoms  in  c.  The  result  now  follows  by  a  straightforward 
induction  on  c.  □ 

Theorem  C.4  (Theorem  5.2).  Suppose  £  is  objectively-complete,  b  ip  and  ip  =  reduce(£,  p).  Then 
ip  — >*  ip' ,  where  (1)  ip'  is  either  T,  or  _L,  or  contains  only  subjective  atoms  and  the  connectives  A, 
V,  and  (2)  For  all  £f  >  £,  £'  |=  ip  iff  £'  |=  ip'  and  £'  |=  ip  iff  £'  |=  ip' . 

Proof.  By  induction  on  p  and  case  analysis  of  its  form.  Define  simp(?//)  to  mean  statement  (1)  of 
the  theorem,  i.e. ,  that  ip'  is  either  T,  or  _L,  or  contains  only  subjective  atoms  and  the  connectives 
A,  V.  Define  equiv(£,  ip,  ip')  to  mean  statement  (2)  of  the  theorem,  i.e.,  for  all  £’>£,£'  \ =  ip  iff 
£f  |=  ip'  and  £'  \=  ip  iff  £'  \=  ip' . 

Case,  p  =  Po-  In  this  case,  pc{Po )  b  {tt,ff}  and,  accordingly,  ip  =  T  or  ip  =  _L.  So  we  can 
choose  ip'  =  ip  to  trivially  satisfy  both  (1)  and  (2). 

Case,  p  =  Pg.  In  this  case  ip  =  T  or  ip  =  T  or  ip  =  Pg.  So  we  can  choose  ip'  =  ip  to  trivially 
satisfy  both  (1)  and  (2). 

Case,  p  =  T.  Then,  ip  =  T.  We  choose  ip'  =  ip  to  trivially  satisfy  both  (1)  and  (2). 

Case,  p  =  _!_.  Then,  ip  =  _L.  We  choose  ip'  =  ip  to  trivially  satisfy  both  (1)  and  (2). 

Case,  p  =  pi  A  p2-  Then,  ip  =  ipi  A  ip2,  where  ipi  =  reduce(£,  pf)  for  i  =  1,2.  By  inver¬ 
sion  on  the  given  derivation  of  h  p ,  we  deduce  h  p\  and  h  pi-  Hence,  from  the  i.h.,  ipi  — >*  ip [ 
where  simp(^)  and  equiv(£,  ipi,  ip'f).  The  last  fact  implies  that  equi v(£,ip,ip[  A  ip'2).  Further, 
ip  =  ip\  A  ip2  — >*  ip'i  A  ip'2.  Using  Lemma  C.l,  we  obtain  a  ip'  such  that  ip[  A  ip2  -A*  ip',  simp  (ip') 
and  equiv(£,  ip[  A  ip'2,ip').  The  last  fact  and  equiv(£,  ip,  ipi  A  ip'2)  imply  equi v(£,ip,ip').  So  ip' 
satisfies  all  our  requirements. 

Case,  p  =  p\  V  p2-  Then,  ip  =  ip\  V  ip2 ,  where  ipi  =  reduce(£,  pi)  for  i  =  1,2.  By  inver¬ 
sion  on  the  given  derivation  of  b  p,  we  deduce  b  p\  and  b  p2-  Hence,  from  the  i.h.,  ipi  — >•*  ip't 
where  simp(^)  and  equi v(£,ipi,ip'f).  The  last  fact  implies  that  equi v(£,ip,ip[  V  ip'2).  Further, 
ip  =  ip\M  ip2  -F*  ip[  V  ip'2.  Using  Lemma  C.l,  we  obtain  a  ip'  such  that  ip'^  V  ip'2  — >*  ip' ,  simp(ip') 
and  equiv(£,  ip[  V  ip'2,ip').  The  last  fact  and  equiv(£,  ip,  ip[  V  ip2)  imply  equiv(£,  ip,  ip').  So  ip' 
satisfies  all  our  requirements. 
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Case,  (p  =  Vx.(c  D  ip').  Then,  ip  is  calculated  as  follows: 

ip  =  reduce(£,  ip)  =  let 

{ai,...,an}  <r-  sat (£,c) 

S  {t i , . . . ,  tn{ 

{ipi  A-  redu ce(£<p'[ti/x\)}?=1 
ip”  A-  Vx.((c  A  x  ^  S)  D  <p') 

return 

ipi  A  . . .  A  A  ip" 

By  inversion  on  the  given  derivation  of  F  <p,  we  know  that  there  is  a  xo  such  that  (1)  {}  F  c  :  xo, 
(2)  x  C  xOi  (3)  fv(c)  C  x.  and  (4)  xo  F  ¥>7.  By  Lemma  B.7  on  (1),  xo  C  fv(c).  From  this,  (2), 
and  (3),  it  follows  that  x  =  fv(c)  =  xo-  Call  this  fact  (A).  Note  also  that  by  Theorem  B.6, 
dom(cjj)  D  xo  =  x.  Call  this  fact  (B). 

Next,  we  show  that  equiv(£,  ip” :  T).  Since  for  all  £7,  £  (=  T,  it  suffices  to  show  that  for  all 
£  >  £,  £  |=  Vx.((c  A  x  pL  S)  D  </F).  By  definition  of  |=,  it  suffices  to  prove  that  for  all  t  and 
£  >  £,  £  |=  c[t/x\  A  t  pL  S,  i.e. ,  £  |=  c[t/x]  V  t  e  5.  If  t  =  U  for  some  i,  then  £7  J=  t  E  5  by 
definition  of  S',  so  we  are  done.  Hence,  we  need  only  consider  the  case  where  t  0  S.  In  this  case 
we  show  that  £  \=  c[t/x\.  By  Lemma  C.2,  this  is  implied  by  £  \/=  c[t/x\,  so  we  show  the  latter. 
Suppose,  for  the  sake  of  contradiction,  that  £  \=  c[t/x\.  By  Lemma  C.3,  £  |=  c[t/x\.  Hence,  by 
Theorem  B.3,  there  is  a  er  £  sat(£,  c)  such  that  [f  i->  t]  >  cr.  a  E  sat(£,c)  forces  a  =  Oi  for  some 
i  and,  by  fact  (B),  t  =  £.  Hence,  t  =  ti  £  S,  a  contradiction.  Therefore,  equiv(£,  ip" :  T).  Call  this 
fact  (C). 

By  Lemma  B.8  on  (4),  we  derive  xo\x  F  (p'[t/x\.  Using  fact  (A),  we  have  h  ip'[t/x\.  Applying 
the  i.h.  to  this  and  ipi  <—  reduce(£,  ip'[ti/x]),  we  know  that  there  is  a  ip [  such  that  ipi  — >*  ip[,  simp (?/;■) 
and  equiv(£,  ipi,  ip[).  Call  this  fact  (D). 

Note  that  ip  =  ipi  A  ...  A  ipn  A  ip"  -»*  ip[  A  . . .  A  ip'n  A  T  (the  second  relation  follows  because 
ip”  — >  T).  Further,  because  equiv(£,  ipi,  ip[)  (fact  (D))  and  equiv(£,  ip”,  T)  (fact  (C)),  it  follows 
that  equiv(£,  ip ,  (ip[  A  . . .  A  ip'n  A  T)).  Also,  from  fact  (C),  simp(^/1  A  . . .  A  ip'n  A  T).  The  proof  is 
complete  by  choosing  the  ip'  obtained  by  applying  Lemma  C.l  to  ip^  A  . . .  A  ip'n  A  T. 

Case,  y  =  3x.(c  A  <//).  Then,  ip  is  calculated  as  follows: 

ip  =  reduce(£,  <p)  =  let 

{ai,...,an}  <(-  sat(£,  c) 

{ti  It-  <7,0?)}^ 

5  {£,  ■■■,£} 

{ipi  -e-  reduce(£,^'[£/x])}f=1 
ip”  3x.((c  A  x  pL  S)  A  (p') 

return 

ip!  V  . . .  V  ipn  V 

By  inversion  on  the  given  derivation  of  h  <p,  we  know  that  there  is  a  xo  such  that  (1)  {}  h  c  :  xo, 
(2)  x  C  xo,  (3)  fv(c)  C  x,  and  (4)  xo  F  <p'.  By  Lemma  B.7  on  (1),  xo  Q  fv(c).  From  this,  (2), 
and  (3),  it  follows  that  x  =  fv(c)  =  xo ■  Call  this  fact  (A).  Note  also  that  by  Theorem  B.6, 
dom(cjj)  D  xo  =  x.  Call  this  fact  (B). 
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Next,  we  show  that  equiv(£,  ip",  _L).  Since  for  all  C\  £  |=  _L  =  T,  it  suffices  to  show  that  for 
all  £  >  C.  £  \=  3x.{(c  A  x  0  S)  A  tp1),  i.e.,  £  |=  VT.((c  A  x  §£  S)  D  <p').  By  definition  of  |=,  it 
suffices  to  prove  that  for  all  t  and  £  >  £,  £  |=  c[t/x\  A  t  0  S,  i.e.,  £  |=  c[t/x\  V  t  E  5.  If  t  =  ti  for 
some  A  then  £  |=  t  E  S  by  definition  of  S,  so  we  are  done.  Hence,  we  need  only  consider  the  case 
where  t  (p  S.  In  this  case  we  show  that  £  (=  c[f/x].  By  Lemma  C.2,  this  is  implied  by  £  \/=  c[t/x\, 
so  we  show  the  latter.  Suppose,  for  the  sake  of  contradiction,  that  £  |=  c[t/x\.  By  Lemma  C.3, 
C  |=  c[t/x\.  Hence,  by  Theorem  B.3,  there  is  a  a  E  sat(£,c)  such  that  [L — >■  tj  >  <r.  a  E  sat (£,  c) 
forces  cj  =  (Ti  for  some  i  and,  by  fact  (B),  t  =  ij.  Hence,  t  =  ti  €  S,  a  contradiction.  Therefore, 
equiv(£,  T).  Call  this  fact  (C). 

By  Lemma  B.8  on  (4),  we  derive  xo\%  1“  v'\P/%\-  Using  fact  (A),  we  have  h  cp'[t/x\.  Applying 
the  i.h.  to  this  and  ipi  4—  reduce(£,  (p'[ti/x\),  we  know  that  there  is  a  ^  such  that  -i/'i  V4- 

and  Call  this  fact  (D). 

Note  that  ijj  =  ij)\  V  . . .  V  i^n  V  — >*  (the  second  relation  follows  because 

ip"  -A  _L).  Further,  because  equiv(£,  ipi,  (fact  (D))  and  equiv(£,  ip",  T)  (fact  (C)),  it  follows 
that  equiv(£,  ip,  (ip[  V  ...  V  ip'n  V  _L)).  Also,  from  fact  (C),  simp(^/1  V...V(i(,Vl),  The  proof  is 
complete  by  choosing  the  ip'  obtained  by  applying  Lemma  C.l  to  ip[  V  . . .  V  ip'n  V  _L.  □ 

Next,  we  turn  to  proofs  of  Theorems  5.4  and  5.5.  Both  theorems  rely  on  a  central  lemma 
(Lemma  C.ll).  In  order  to  prove  the  lemma  cleanly,  we  need  a  few  definitions  and  some  other 
lemmas.  Note  that  in  the  rest  of  this  Appendix  we  assume  that  there  are  no  subjective  predicates. 

Definition  C.5  (Protected  restrictions).  Let  T  be  a  set  of  time  points  (possibly  non-ground).  We 
define  a  subclass  “T-protected”  of  restrictions  c  of  the  sublogic  inductively  as  follows: 

1.  po(t\,  ■  ■  ■ ,  tn ,  to)  is  T-protected  if  to  E  T 

2.  x  pL  S  is  T-protected 

3.  t  /  t'  is  T-protected 

4.  in(T,  t',to)  is  T-protected  if  to  £  T 

5.  T  is  T-protected 

6.  T  is  T-protected 

7.  ci  A  C2  is  T-protected  if  both  ci  and  c-}.  are  T-protected. 

8.  ci  V  C2  is  T-protected  if  both  ci  and  C2  are  T-protected. 

9.  3x.c  is  T-protected  if  c  is  T-protected. 

Definition  C.6  (Protected  formulas).  Let  T  be  a  set  of  time  points  (possibly  non-ground).  We 
define  a  subclass  “T-protected”  of  formulas  (p  of  the  sublogic  inductively  as  follows: 

1.  po{t\, . . . ,  tn ,  to)  is  T-protected  if  to  E  T 

2.  T  is  T-protected 

3.  T  is  T-protected 
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4.  tp\  A  ip 2  is  T-protected  if  both  ip\  and  (f2  are  T-protected 

5.  tpi  V  tp2  is  T-protected  if  both  ipi  and  p>2  are  T-protected 

6.  Vx.(c  D  ip)  is  T-protected  if  c  is  T-protected  and  ip  is  T-protected 

7.  Vr.((in(r,  r7,  To)  A  c)  D  ip)  is  T-protected  if  c  is  T-protected,  to  G  T,  and  <p  is  (T  U  {t})- 
protected 

8.  3a;.  (c  A  <p)  is  T-protected  if  c  is  T-protected  and  ip  is  T-protected 

9.  3T.((in(T,  t7,  to)  A  c)  A  ip)  is  T-protected  if  c  is  T-protected,  to  G  T,  and  ip  is  (T  U  {t})- 
protected 

Lemma  C.7  (Excluded  middle  for  protected  formulas).  Let  T,  tq  be  ground.  Suppose  C  is  To  - 
complete  and  for  all  t  G  T,  t  <  tq.  Then,  the  following  hold. 

1.  If  c  is  ground  and  T-protected,  then  either  L  |=  c  or  L  |=  c. 

2.  If  ip  is  ground  and  T - protected ,  then  either  C  |=  ip  or  C  |=  Tp. 

Proof.  Both  statements  follow  by  an  induction  on  the  respective  definitions  of  T-protected.  We 
show  some  representative  cases  below. 

Proof  of  (1). 


Case,  c  =  po(h,  ■  ■  ■  ,  tn,  t)  and  t  G  T.  By  definition  of  To-complete  and  the  fact  t  <  to,  we 
know  that  either  pc(po(h,  ■  ■  ■  ,tn,T))  =  tt  or  pc(po{ti,  ■  ■  ■  ,tn,  t))  =  ff.  In  the  former  case, 
C  \=  po(ti, . . .  ,tn,r),  while  in  the  latter  case,  C  \=  po(t\, . . . ,  tn,  t). 

Case,  c  =  ci  A  C2  and  both  ci  and  C2  are  T-protected.  By  the  i.h.,  for  each  i,  either  C  (=  c,;  or 
C  |=  ci-  If  T  |=  ci  and  C  |=  C2,  then  C  |=  ci  A  C2,  as  required.  If,  on  the  other  hand,  for  some  i, 
C  |=  ci,  then  C  |=  cf  V  C2,  i.e.,  C  |=  c. 

Case,  c  =  3x.c  and  c  is  T-protected.  By  the  i.h.,  for  every  t,  either  C  |=  c[t/x\  or  C  |=  c[t/x\.  If 
there  is  a  t  such  that  C  \=  c[t/x\,  then  also  £  |=  3x.c.  If,  on  the  other  hand,  for  every  t,  C  (=  c[t/x\, 
then  also,  C  j=  Vx.c,  i.e.,  C  |=  3x.c. 

Proof  of  (2). 


Case,  ip  =  Vx.(c  D  ip')  where  c  is  T-protected  and  ip'  is  T-protected.  If  for  any  t,  C,  |=  c[t/x\  and 
C  |=  ip'[t/x\,  then,  by  definition,  C  \=  3x.(c  A  ip'),  i.e.,  C  |=  Tp  and  we  are  done.  Hence,  we  need 
only  consider  the  case  where  for  every  t,  either  C  c[t/x\  or  C  ip'[t/x\.  However,  by  (1)  and  the 
i.h.,  we  also  deduce  in  this  case  that  for  every  t ,  either  C  |=  c[t/x\  or  C  |=  ip'[t/x\.  By  definition  of 
|=,  C  |=  ip  in  this  case. 

Case.  \/T.((in(T,  t7,  Ti)  Ac)  D  p’)  where  c  is  T-protected,  ti  G  T,  and  ip 7  is  (T  U  {T})-protected. 
We  consider  two  exhaustive  subcases: 
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Subcase.  There  is  a  ground  t"  such  that  £  |=  in(r//,  r',  ri),  £  |=  c{t"/t\  and  £  |=  p'[t"/t\.  By 
definition  of  |=,  £  |=  3r.((in(T,/,  t' ,  t\)  A  c)  A  p'),  i.e. ,  C\=p. 

Subcase.  For  every  ground  t",  either  £  \/=-  in (t",t',ti),  or  £  \/=  c[t"/t],  or  £  ^A  p'\r" /t\.  In  this 
case  we  show  that  £  |=  p.  Following  the  definition  of  (=,  pick  any  t" .  It  suffices  to  prove  that  either 
£  |=  in(r",  r',  n)  or  £  |=  cfr^/r]  or  £  |=  ^[t^/t].  From  the  subcase  assumption,  £  \f=  in (t"  ,  t' ,  t\), 
or  £  ^A  c[t"/t],  or  £  ^A  p'[r" /t],  If  £  |^A  in(r,/,  r' ,  n),  then  because  in(r//,  t',  n)  is  T-protected 
(note  that  ri  G  T),  (1)  implies  that  £  |=  in(r",  r',  ri).  The  case  £  ^A  c[r"/r]  is  similar.  That 
leaves  only  the  last  case:  £  |^A  p'[r" /t\.  Since  p'  is  (T  U  {r})-protected,  p'  [t" /t\  is  (T  U  {t,/})- 
protected.  Further,  because  we  already  considered  the  case  £  ^A  in(r",  r',  n),  we  may  assume  here 
that  £  |=  in(T,/,  r',  ri),  which  implies  t"  <  t\  <  To-  Thus,  we  can  apply  the  i.h.  to  p'[t"/t\  to 
deduce  that  either  £  |=  p'[r" /t\  or  £  |=  p'[t" /t\.  The  latter  is  assumed  to  be  false,  so  we  must 
have  £  (=  p'\r"  fr],  as  required.  □ 

Lemma  C.8  (Reduction  of  protected  formulas).  Let  T,  tq  be  ground.  Suppose  p  is  T-protected, 
b  p,  £  is  TQ-complete,  and  for  all  t  €  T,  t  <  tq.  Then,  reduce(£,  ip)  — >*  if,  where  if  =  T  or  if  =  T 
and  £  |=  p  iff  £  (=  if. 

Proof.  By  induction  on  the  derivation  of  p  being  T-protected.  The  proof  is  very  similar  to  that  of 
Theorem  C.4  and  we  show  here  only  some  representative  cases  of  the  induction. 

Case,  (p  =  po(t±, . . .  ,tn,r)  where  r  e  T.  Because  £  is  ro-complete  and  r  <  to,  we  know 
that  pc(po(ti>  ■  ■  ■  ,tn,  t))  G  Accordingly,  reduce(£,<^>)  G  {T,  _L},  so  we  can  choose  if  = 

reduce(£,<^)  to  satisfy  the  theorem’s  requirements. 

Case,  ip  =  Vx.(c  D  p')  where  c  and  p'  are  both  T-protected.  Then,  reduce(£,<^)  is  calculated  as 
follows. 

reduce(£,  p)  =  let 

{<7i,...,c7n}  G-  sat(£,c) 

{U  °}(*)}f=i 
5  G-  {£,  ■  •  •  Xn} 

{ifi  G-  reduce(£,^'[£/^])}r=i 

if'  <T-  Vx.((c  A  X  $  S)  D  p') 
return 

if  1  A  ...  A  if n  /\  if' 

By  inversion  on  the  given  derivation  of  b  p,  we  know  that  there  is  a  yo  such  that  (1)  {}  b  c  :  xo> 
(2)  x  C  XO;  (3)  fv(c)  C  x,  and  (4)  xo  b  By  Lemma  B.7  on  (1),  yo  C  fv(c).  From  this,  (2), 
and  (3),  it  follows  that  x  =  fv(c)  =  xo-  Call  this  fact  (A).  Note  also  that  by  Theorem  B.6, 
dom(cjj)  3  xo  =  x.  Call  this  fact  (B). 

Next,  we  show  that  £  |=  if' .  Following  the  definition  of  (=,  it  suffices  to  prove  that  for  all  t, 
£  |=  c[t/x\  A  t  0  S,  i.e.,  either  £  |=  c[t/x\  or  t  G  S.  Suppose  t  ft  S.  Then,  we  show  that  £  |=  c[t/x\. 
Because  c  is  T-protected,  Lemma  C.7(l)  applies,  so  the  last  fact  is  implied  by  £  |^A  c[t/x\.  So  we 
prove  this  instead.  Suppose,  for  the  sake  of  contradiction,  that  £  |=  c[t/x\.  Then,  by  Theorem  B.3, 
there  is  a  a  G  sat(£,c)  such  that  [f  G  f]  >  d.  a  G  sat(£,c)  forces  a  =  dj  for  some  i  and,  by 
fact  (B),  t  =  ti.  Hence,  t  =  f  G  S,  a  contradiction.  Hence,  we  must  have  C\=  if' .  Call  this  fact  (C). 
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By  Lemma  B.8  on  (4),  we  derive  xo\%  Using  fact  (A),  we  have  h  ip'[t/x\.  We  already 

know  that  ip'  is  T-protected  and,  hence,  p'[t/x]  is  also  T-protected.  Applying  the  i.h.  to  the  last 
two  facts,  and  ipi  <—  reduc e(£,ip'[ti/x\),  we  know  that  there  is  a  ip)  €  {T,_L}  such  that  ipi  — >*  ip) 
and  £  |=  if'[ti/x\  iff  £  |=  ip ).  Note  that  by  Theorem  B.5,  this  also  implies  £  \=  ipi  iff  £  |=  ip).  Call 
this  fact  (D).  We  consider  two  subcases: 

Subcase.  For  every  i,  ip)  =  T.  Clearly,  we  have  reduce(£,  p)  =  (ipi  A  ...  A  ipn  A  ip')  — >*  T 
(note:  ip'  — >  T).  We  must  show  that  £  |=  p.  We  have  by  fact  (D)  that  £  |=  ipi  for  each  i  and  by 
fact  (C)  that  £  |=  ip' .  Consequently,  £  |=  (ipi  A  . . .  A  ipn  A  ip')  and,  hence,  by  Theorem  B.5,  £  |=  p. 

Subcase.  There  is  a  i  such  that  ip)  =  _L.  Clearly,  we  have  reduce(£,  p)  =  (. . .  A  ipi  A  . . .)  -A*  _L. 
We  must  show  that  £  |^=  p.  Note  that  by  fact  (D),  £  \/=  ipi.  Consequently,  by  definition  of  |=, 
£  Y=  reduce(£,yj)  and,  hence,  by  Theorem  B.5,  C\/=  <p,  as  required. 

Case,  p  =  Vx.((in(x,  t' ,  r)  A  c)  D  p')  where  c  is  T-protected,  r  £  T,  and  p'  is  (TU  {x})-protected. 
Then,  reduce(£,  <p)  is  calculated  as  follows. 

reduce(£,<£>)  =  let 

{cji,  . . .  ,an}  <r-  sat (£,  (in(x,r',r)  A  c)) 

{n  *i{x)}U 

S  {n, . . .  ,rn} 

{ipi  <r-  redu ce(£,yj,[ri/x])}f=1 
ip'  •<—  Vx.((in(x,  t' ,  t)  A  c  A  x  0  5)  D  <^/) 
return 

ipi  /\  ...  A  ipn  A  ip' 

By  inversion  on  the  given  derivation  of  h  ip,  we  know  that  there  is  a  xo  such  that  (1)  {}  h 
in(x,r',r)  A  c  :  xo,  (2)  {x}  C  xo,  (3)  f  v(in(x,  t'  ,  r)  Ac)  C  {x},  and  (4)  xo  1“  ■  By  Lenuna  B.7 

on  (1),  xo  C  fv(in(x,  t',  t)  A  c ).  From  this,  (2),  and  (3),  it  follows  that  {x}  =  fv(in(x,  r' ,  r)  A 
c)  =  xo-  Call  this  fact  (A).  Note  also  that  by  Theorem  B.6,  dom(cq)  D  xo  =  {^1-  Call  this  fact  (B). 

Next,  we  show  that  £  |=  ip' .  Following  the  definition  of  |=,  it  suffices  to  prove  that  for  all  t, 
£  |=  in (t,T',r)  A  c[t/x\  A  t  0  S,  i.e. ,  either  £  |=  in(£r/,r)  A  c[t/x\  or  f  S  5.  Suppose  t  0  S.  Then, 
we  show  that  £  (=  in (t,  r',r)  A  c[t/x\.  Because  in(t,  t',t)  A  c[t/x\  is  T-protected,  Lemma  C.7(l) 
applies,  so  the  last  fact  is  implied  by  £  \/=  in (t,r' ,t)  A  c[t/x\.  So  we  prove  this  instead.  Suppose, 
for  the  sake  of  contradiction,  that  £  |=  in(t,r/,r)  A  c[t/x\.  Then,  by  Theorem  B.3,  there  is  a 
a  £  sat(£,  in(x,  r',  r)  A  c)  such  that  [x  *->■  t]  >  a.  a  £  sat(£,  in(x,  r' ,  r)  A  c)  forces  o  =  Oi  for 
some  i  and,  by  fact  (B),  t  =  Ti.  Hence,  t  =  Ti  £  S,  a  contradiction.  Hence,  we  must  have  £  |=  ip' . 
Call  this  fact  (C). 

By  Lemma  B.8  on  (4),  we  derive  xo\{a:}  ^  v'[Ti/x\-  Using  fact  (A),  we  have  h  ip'[Ti/x\.  We 
already  know  that  cp'  is  (T  U  {x})-protected  and,  hence,  (p'[Ti/x\  is  (T  U  {rj})-protected.  Note 
also  that  r*  <  r  <  ro-  Applying  the  i.h.  to  the  last  three  facts,  and  ipi  <—  reduce(£,  <p'\Ti/x\),  we 
know  that  there  is  a  ip[  £  {T,_L}  such  that  ipi  -A*  ip',-  and  £  |=  <p'[Ti/x\  iff  £  |=  ip).  Note  that  by 
Theorem  B.5,  this  also  implies  £  \=  ipi  iff  C  \=  ip).  Call  this  fact  (D).  We  consider  two  subcases: 

Subcase.  For  every  i,  ip)  =  T.  Clearly,  we  have  reduce(£,  <p)  =  {ip\  A  ...  A  ipn  A  ip')  -A*  T 
(note:  ip'  -A  T).  We  must  show  that  £  |=  ip.  We  have  by  fact  (D)  that  £  |=  ipi  for  each  i  and  by 
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fact  (C)  that  £  |=  Consequently,  £  |=  (/i  A  . . .  A  ipn  A  ip')  and,  hence,  by  Theorem  B.5,  £  |=  ip. 

Subcase.  There  is  a  i  such  that  ip[  =  _L.  Clearly,  we  have  reduce(£,  p)  =  (. . .  A  ipi  A  . . .)  — >*  _L. 
We  must  show  that  £  /  p.  Note  that  by  fact  (D),  £  /  ipi.  Consequently,  by  definition  of  |=, 
£  Y=  reduce(£,yj)  and,  hence,  by  Theorem  B.5,  £  \/=  ip,  as  required.  □ 

Lemma  C.9  (Duality  of  protection),  tp  is  T -protected  iffp  is  T -protected. 

Proof.  By  a  straightforward  induction  on  tp.  □ 

Lemma  C.10  (Past  translation).  The  following  hold: 

1.  If  c  is  a  restriction  in  the  temporal  logic,  then  for  any  r  gT,  (c)t  is  T -protected. 

2.  If  ap  is  a  temporal  logic  formula  without  future  operators,  then  for  any  r  e  T,  ( ap)T  is 
T  -protected. 

Proof.  (1)  follows  by  a  straightforward  induction  on  c.  Then,  (2)  follows  by  induction  on  ap.  The 
case  ap  =  ps(t±, ...  ,tn)  does  not  arise  because  we  assume  that  there  are  no  subjective  predicates. 
Similarly,  the  cases  ap  =  □/?  and  ap  =  f3\  U  @2  do  not  arise  because  ap  does  not  contain  future 
operators.  We  show  some  other  representative  cases  below. 

Case.  ap  =  po(ti, . . . ,  tn).  Then,  ( ap)T  =  po{t\ , . . . ,  tn,  r),  which  is  T-protected  because  r  G  T  is 
given. 


Case.  ap  =  a!p .  Then,  ( ap)T  =  ( ap)T .  By  the  i.h.,  ( ap)T  is  T-protected.  Hence,  by  Lemma  C.9, 
(■ a'p)T  is  also  T-protected. 

Case.  ap  =  \/x.(c  D  /3P).  Then,  ( ap)T  =  Vx.((c)T  D  (/ 3P)T ).  By  statement  (1)  of  the  theorem,  (c)T 
is  T-protected,  and  by  the  i.h.,  (/ 3P)T  is  T-protected.  Hence,  ( ap)T  is  T-protected  by  clause  (6)  of 
Defn  C.6. 

Case.  ap  =  fx.j3p.  Then,  ( ap)T  =  (/3p[t/x])t.  By  the  i.h.  on  the  smaller  formula  /3p[r/x],  we  get 
that  (/3p[t/x])t  is  T-protected. 

Case.  ap  =  PiSfo-  Then,  ( ap)T  =  3r/.(in(r',  0,  r)  A  (/? 2)T'  A  (Vr,,.((in(r,,,  r',  r)  A  t'  t")  D 
(/3i)t"))).  First,  by  the  i.h.,  (/3i)T”  is  (TU{r"})-protected.  Consequently,  by  clause  (7)  of  Defn  C.6, 
(Vr//.((in(r,/,  r' ,  r)  A  r'  ^  t")  D  (/3i)t”))  is  T-protected.  Hence,  it  is  also  (T  U  {r'D-protected. 
Call  this  fact  (A).  Next,  by  the  i.h.,  (/% )T  is  (TU  {r'})-protected.  Combining  this  and  fact  (A),  we 
have  that  (/?2  )T'  A  (Vr//.((in(r",  r' ,  r)  At'  /  t")  D  (/3  i)r”))  is  (T  U  {r'})-protected.  By  clause  (9) 
of  Defn  C.6,  ( ap)T  is  T-protected,  as  required. 

Case.  ap  =  E]/3p.  Then,  (ap)r  =  Vr,.(in(T/,  r,  oo)  D  ( /3P)T ')■  By  the  i.h.,  (/ 3P)T '  is  (T  U  {r'})- 
protected.  Hence,  by  clause  (7)  of  Defn  C.6,  ( ap)T  is  T-protected.  □ 

Lemma  C.ll  (Reduction  of  past  formulas).  Let  ap  be  a  temporal  logic  formula  without  future 
operators,  and  suppose  that  t  is  a  ground  time  point  such  that  h  (ap)T .  Let  £  be  To-complete  and 
to  Z  T-  Then,  either  (1)  reduce(£,  (ap)r)  — >*  T  and  £  |=  (ap)r,  or  (2)  reduce(£,  (ap)T)  — P  _L  and 
£  |=  (o'p)T . 
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Proof.  By  Lemma  C.10(2),  ( ap)T  is  {r}-protected.  Because  r  <  tq  and  b  (ap)T ,  by  Lemma  C.8, 
reduce(£,  ( ap)T )  -A*  if,  where  if  =  T  or  if  =  _L  and  £  \=  ( ap)T  iff  £  \=  if.  Call  the  latter  fact  (A). 
We  consider  two  cases: 

Case,  if  =  T.  In  this  case,  fact  (A)  means  that  £  |=  ( ap)T  iff  £  (=  T,  which  implies  that  £  (=  (ap)T . 
So  (1)  holds. 

Case,  if  =  _L.  In  this  case,  fact  (A)  yields  that  C  \f=  ( ap)T .  Since  ( ap)T  is  {rj-protected  (already 
proved)  and  r  <  To,  Lemma  C.7(2)  yields  C  |=  ( ap)T .  So  (2)  holds.  □ 

Theorem  C.12  (Enforcement  of  safety  properties;  Theorem  5.4).  Suppose  G  ap  is  a  safety  prop¬ 
erty,  b  G ap,  C  is  TQ-complete,  and  for  all  t,  (p£(in(r, 0, oo))  =  tt)  =>■  t  <  to-  Then, 
reduce(£,  G  ap)  — U  _L  iff  there  is  a  t  such  that  £  |=  in(r,  0,  To)  and  £  |=  (ap)T ■ 

Proof.  We  have  Gap  =  \/T.(in(T,  0,  oo)  D  ( ap)T ).  Let  reduce(£,  Gap)  =  if.  Then, 

if  =  reduce(£, \/T.(in(T,  0,  oo)  D  ( ap)T ))  =  let 

{cJi, . . . ,  an}  <-  sat (£,  in(T,  0,  oo)) 

{n  <-  cr*(r)}f=  1 
S  A-  {n, . . .  ,Tn} 

{ifi  ir-  reduce(£,  ( ap)Ti)}f=1 
if'  A-  VT.((in(T,  0,  oo)  A  t  0  S')  D  ( ap)T ) 
return 

if!  A  . . .  A  ifn  A  if' 

By  inversion  on  b  G  ap,  we  obtain  a  xo  such  that  b  in(T,  0,  oo)  :  xo  and  xo  b  (ap)r  •  The  first 
of  these  forces  xo  =  {t},  so  from  the  second  one  we  have  that  t  b  (ap)T .  Using  Lemma  B.8(2),  we 
get  b  ( ap)n .  Call  this  fact  (A).  Next,  observe  that  by  Theorem  B.3,  for  each  Tj,  £  |=  in(Tj,0,oo), 
i.e. ,  /?£(in(Tj,  0,  oo))  =  tt.  This  forces  t*  <  To  from  the  assumptions  of  the  theorem  we  are  trying 
to  prove.  Call  this  fact  (B).  We  now  prove  the  two  directions  of  the  conclusion  of  the  theorem. 


Direction  “if”.  Suppose  there  is  a  t  with  £  |=  in(T,  0,to)  and  £  |=  ( ap)T .  We  prove  that 
if  -»*  _L.  By  Theorem  B.3  applied  to  £  |=  in(T,  0,to),  t  =  t,;  for  some  i.  Hence  by  Lemma  C.ll, 
using  facts  (A)  and  (B)  and  £  |=  ( ap)T ,  we  have  that  reduce(£,  ( ap)n )  -A*  _L,  i.e.,  ifi  — >*  _L.  Clearly, 
if  =  (•  •  •  A  if i  A  . . .)  — >*  _L,  as  required. 

Direction  “only  if”.  Suppose  that  reduce(£,  G  ap)  — >*  _L,  i.e.,  if  -A*  _L.  We  show  that  there  is 
a  t  such  that  in(T,  0,  To)  and  £  |=  (ap)T ■  By  definition  of  -A,  we  obtain  that  either  for  some  i , 
ifi  -A*  _L  or  if'  — >*  _L.  The  latter  is  impossible  because  if'  has  a  top-level  V,  which  can  only  be 
rewritten  to  T.  Hence,  there  is  an  i  such  that  ifi  — >*  _L,  i.e.,  reduce(£,  (ap)Ti)  -A*  _L.  Choose  t  =  Tj. 
By  Lemma  C.ll,  using  facts  (A)  and  (B)  and  reduce(£,  (ap)Ti)  -A*  _L,  we  obtain  that  £  |=  ( ap)Ti . 
The  remaining  requirement,  £  |=  in(Tj,0,To)  follows  from  fact  (B).  □ 

Theorem  C.13  (Enforcement  of  co-safety  properties;  Theorem  5.5).  Suppose  F  ap  is  a  co-safety 
property,  b  F  ap,  £  is  TQ-complete,  and  for  all  t,  (p£(in(r,  0,  oo))  =  tt)  =A-  t  <  to-  Then, 
reduce(£,  F  ap)  — >*  T  if  and  only  if  there  is  a  t  such  that  £  |=  in(r,  0,  tq)  and  £  |=  (ap)T . 

Proof.  Similar  to  that  of  Theorem  C.12.  □ 
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D  HIPAA  Case  study 


This  appendix  lists  the  number  of  subjective  and  objective  atoms  in  each  transmission-related 
clause  in  the  HIPAA  Privacy  Rule.  denotes  the  number  of  subjective  atoms;  #0’  denotes  the 
number  of  such  subjective  atoms  that  can  be  mechanized  by  a  small  amount  of  design  effort;  and 
#0  denotes  the  number  of  objective  atoms.  The  table  is  sorted  by  the  last  column  (#0’  +  #0) 
/  (#S  +  #0). 


Clause  No. 

#S 

#0’ 

#0 

(#0’  +  #0)  /  (#S  +  #0) 

164.502(e)  (l)(ii)(B) 

0 

0 

5 

1.00 

164.502  (a)  (1)  (i) 

1 

1 

3 

1.00 

164.502(a)  (l)(iv) 

37 

37 

4 

1.00 

164.502(d)(1) 

2 

2 

2 

1.00 

164.502(e)(l)(i) 

1 

1 

2 

1.00 

164.508(a)(2) 

37 

37 

4 

1.00 

164.508(a)  (3)  (i) 

38 

38 

4 

1.00 

164.508(a)  (3)  (i)  (A) 

2 

2 

3 

1.00 

164.510(a)(1)(h) 

2 

2 

3 

1.00 

164.510(a)(2) 

2 

2 

2 

1.00 

164.512(c)(2) 

1 

1 

0 

1.00 

164.512(e)(l)(i) 

3 

3 

4 

1.00 

164.512(e)(1)(h) 

9 

9 

4 

1.00 

164.512(e)(l)(vi) 

4 

4 

2 

1.00 

164.512(f)(2) 

10 

10 

3 

1.00 

164.512(f)  (3)  (i) 

6 

6 

4 

1.00 

164.514(e)(1) 

25 

25 

1 

1.00 

164.512(j)(3) 

11 

10 

1 

0.92 

164.524(b)  (2)  (i) 

54 

43 

41 

0.88 

164.524(b)(2)(h) 

53 

42 

42 

0.88 

164.512(g)(1) 

4 

3 

4 

0.88 

164.510(b)(l)(i) 

2 

1 

5 

0.86 

164. 502(e)  (l)(ii)(C) 

3 

2 

3 

0.83 

164.506(c)(5) 

8 

6 

4 

0.83 

164.512(b)(l)(v) 

5 

3 

7 

0.83 

164.512(k)(l)(ih) 

3 

2 

3 

0.83 

164.514(f)(1) 

3 

2 

3 

0.83 

164.502(g)  (3)  (ii)  ( A) 

2 

1 

4 

0.83 

164.502(g)  (3)  (ii)  (B) 

2 

1 

4 

0.83 

164.502  (j)(2) 

2 

1 

4 

0.83 

164.512(b)(1)(h) 

3 

2 

3 

0.83 

164.512(f)(5) 

4 

3 

2 

0.83 

164.512(k)(l)(i) 

2 

1 

4 

0.83 

164.512(k)(l)(iv) 

2 

1 

4 

0.83 

164.512(k)(6)(i) 

3 

2 

3 

0.83 

164.512  (k)  (6)  (ii) 

7 

5 

4 

0.82 

164.512(i)(l) 

20 

15 

6 

0.81 
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164.506(c)(3) 

2 

1 

3 

0.80 

164.512(b)  (1)  (iii) 

3 

2 

2 

0.80 

164.512(h) 

2 

1 

3 

0.80 

164.512  (k)  (1)  (ii) 

4 

3 

1 

0.80 

164.512(g)(2) 

4 

2 

5 

0.78 

164.512(d)(1) 

6 

4 

3 

0.78 

164.502(a)(2)(h) 

2 

1 

2 

0.75 

164.506(c)(2) 

2 

1 

2 

0.75 

164.510(b)(1)(h) 

4 

2 

4 

0.75 

164.512(b)(l)(iv) 

3 

2 

1 

0.75 

164.510(b)(2) 

5 

3 

3 

0.75 

164.512(f)  (1)  (i) 

17 

10 

10 

0.74 

164.506(c)(4) 

6 

3 

4 

0.70 

164. 502(e)(1)(h)  (A) 

1 

0 

2 

0.67 

164.506(b)(1) 

1 

0 

2 

0.67 

164.506(c)(1) 

4 

2 

2 

0.67 

164.512(f)  (6)  (i) 

4 

2 

2 

0.67 

164.502(b)(1) 

2 

1 

1 

0.67 

164.502(j)(l) 

5 

1 

7 

0.67 

164.512(a)(1) 

2 

1 

1 

0.67 

164.512(f)(1)(h) 

7 

4 

2 

0.67 

164.512(f)(4) 

3 

1 

3 

0.67 

164.512  (j)  (1)  (ii)  (A) 

18 

11 

3 

0.67 

164.512(1) 

2 

1 

1 

0.67 

164.512(k)(4) 

4 

1 

3 

0.57 

164.512(k)(3) 

5 

2 

2 

0.57 

164.512(b)  (l)(i) 

6 

1 

5 

0.55 

164.502(b)(2)(i) 

1 

0 

1 

0.50 

164.508(a)  (2)  (i)(B) 

1 

0 

1 

0.50 

164.508(a)  (2)  (i)(C) 

1 

0 

1 

0.50 

164.508(a)  (3)  (i)  (B) 

1 

0 

1 

0.50 

164.510(a)(3)(h) 

3 

1 

1 

0.50 

164.512(j)(l)(ii)(B) 

4 

1 

2 

0.50 

164.512(k)(5)(i) 

8 

2 

3 

0.45 

164.512(k)(2) 

4 

1 

1 

0.40 

164.510(b)(4) 

12 

3 

2 

0.36 

164.512(c)(1) 

10 

1 

4 

0.36 

164.512(f)(3)(h) 

9 

1 

3 

0.33 

164.512(j)(l)(i) 

5 

1 

1 

0.33 

164.514(g) 

9 

1 

2 

0.27 

164.510(b)(3) 

4 

1 

0 

0.25 

164.502(a)(1)  (iii) 

1 

0 

0 

0.00 

164.510(a)(3)(i) 

4 

0 

0 

0.00 

164.512(c)(2)(i) 

1 

0 

0 

0.00 

164.512(f)(6)(h) 

1 

0 

0 

0.00 
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164.512  (j)  (2)  (i) 

1 

0 

0 

0.00 

164.512(j)(2)(ii) 

1 

0 

0 

0.00 

Total 

578 

402 

303 

0.80 

Clause  No. 

#S 

#S’ 

#0 

(#S’  +  #0)  /  (#S  +  #0) 
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